How to analyze your code repository in GitHub via CodeQL engine

How to analyze your code repository in GitHub via CodeQL engine

How to analyze your code repository in GitHub via CodeQL engine

đź‘‹ Hello Everyone đź‘‹ During this time, I got a chance to improve & increase code security in my main project. In that, my team uses Azure Pipeline & CodeQL (aka Sammle) to analyze code once merge to the master branch. But not in this article :)

Today, I will share an easy way to increase security, find vulnerabilities or bugs in your repository in GitHub by CodeQL engine with GitHub workflow :)

Prerequisite:

Code scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see “About GitHub Advanced Security.”

First of all, What’s CodeQL?

CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis. In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extract from code.

What’s languages that can analyzed?

CodeQL code scanning automatically can support languages below

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

Let’s setup CodeQL workflow in GitHub

  1. Open your repository in GitHub (In this example, my repository is public repo).

  2. Click on the Security menu, Then click on “Set up code scanning”. Step no.2 to setup CodeQL in Gthub

  3. Then, it will navigate to the Code Scanning setup page. Click on “Setup this workflow” in CodeQL Analysis section. Step no.3 to setup CodeQL in Gthub

  4. It will generate yml file which’s contained an analysis setup for CodeQL when you push/pull requests to Master branch. You can change the language section to proper as your project code language. (In this example, my code is typescript. Also, I filled the language section as “javascript” value)

Note: You can copy content in yml file to create a step in your Continuous Integration (CI) process file. Step no.4 to setup CodeQL in Gthub

  1. Next, click on “Start commit” button to commit directly to the branch.

  2. It’s ready to go !!! You can see CodeQL workflow in Actions menu. Step no.6 to setup CodeQL in Gthub

  3. Let’s see the result of analyze code in Jobs details. If your code has bugs, vulnerabilities, or any errors, it will show up on “Perform CodeQL Analysis” section. Therefore, you can improve your code from that result. Step no.7 to setup CodeQL in Gthub

  4. Or you can issue items from Code scanning alerts section in Security menu. Step no.8 to setup CodeQL in Gthub


I hope this article will help you find bugs, vulnerabilities to improve your code quality in your GitHub project. 🎉

Note: You can see the demo repo via this link

đź‘‹ Bye Bye đź‘‹ See ya next time & Take care yourself from Covid19 too đź’Ş

P.S. Lastly, if anyone is interested in reading more about the technology of Mycos Company, you can follow and read further content on their Medium page at https://medium.com/mycostech

References:

Related Posts

Scan code with Credential Scanner on Azure DevOps

Scan code with Credential Scanner on Azure DevOps

🥳 Happy New Year 2023! 🥳Wishing everyone a great year ahead!Now, let's get down to business. Today, I'm going to introduce you to a handy tool that checks for leaked passwords, secrets, certifi

read more