“CodeQL: A DevSecOps Tool for Security as Code”

********So what is “CodeQL”********

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts

• Identify vulnerabilities in your code with CodeQL, the industry’s leading semantic code analysis engine.

• Identify and remediate security issues in your dependencies using Dependabot for security alerts and automated security updates.

• Get automatically notified and block pushes where credentials are mistakenly committed into source control with secret scanning.

Also CodeQL is a “Semantic Code Analysis Tool” concentrate on understanding the meaning and behavior of code to detect complex issues such as logic errors, data flow vulnerabilities, and architectural problems. They go beyond syntax to ensure the code functions correctly and securely within its intended context.

===============================================================

1. This blog is about ‘GitHub CodeQL.’ If you want more documentation and a better understanding, you can visit the ‘CodeQL’ official website. In this blog, we will explore how to configure ‘CodeQL’ with our repository.
2. When configuring ‘CodeQL,’ you may need to adjust the workflow to meet your specific requirements. However, in most cases, there is no need for customization.
3. CodeQL is a very intelligent tool because during the configuration process, it automatically detects your programming language, so there’s no need to specify it manually.
4. Let’s set up CodeQL now. Go to your GitHub account, where you may have several repositories. If you don’t, please fork the repository below.

https://github.com/shrihariharidass/argonaut.git

5. After cloning the repository, navigate to the ‘Actions’ tab. If you’re trying it for the first time, you can directly search for ‘CodeQL.’ If not, then click on ‘New Workflow.

6. After searching for ‘CodeQL,’ you will see it in the results. Then, click on ‘Configure Options.

7. After clicking on ‘Configure,’ it will automatically create a ‘codeql.yml’ file for you. You can review it, and as I mentioned earlier, it’s an intelligent tool, so by default, you don’t need to set it up. If you want to add more languages, you can use the ‘GitHub Marketplace’ and configure them.

You can see in left Picture CodeQL automatically detected Language

8. Then, commit your file by clicking the ‘Commit’ button, and you will see your file.

9. Next, click on ‘Code,’ and you will find that a ‘github/workflows’ folder has been automatically created. Inside that folder, your ‘codeql.yml’ file is present.

10. After that, click on the ‘Actions’ tab. You will see a job named ‘codeql’ being triggered and run, scanning the branch or folder. You can check the status of this job, if you want to see what happened during this job, click on it and expand the steps.

11. To view the results of your code scanning, click on the ‘Security’ tab.

12. Then, select the ‘Code Scanning’ option, where you will find your results. In this case, our code appears to be in good shape. However, you can clone or fork the repository below to see how it actually looks.

https://github.com/shrihariharidass/django-notes-app.git

13. You can fork the repository mentioned above and follow the same actions from step 5 to 12. After that, go to the ‘Security’ tab, and you will be able to see any vulnerabilities in your code.

14. GitHub also provides suggestions on how to resolve those issues or offers solutions.

15. If your repository uses multiple languages, CodeQL will scan all the languages used in your code.

Lastly, it’s important to note that there is no cost for this hands-on experience. If you are using someone else’s repository, it should be public, allowing you to fork it. However, if you prefer, you can also perform these steps in your private repository. Keep in mind that CodeQL can scan public repositories by default. If you wish to scan private repositories, you will need to obtain the GitHub Enterprise Edition.

I hope this helps clarify the information about CodeQL and its usage. If you have any further questions or need more assistance, feel free to ask.

===============================================================

Bonus:

Security as Code is an approach where security practices and measures are integrated into the software development process. It involves using code, automation, and tools to ensure security checks and controls are applied consistently throughout the development lifecycle. This helps identify and address security vulnerabilities early, making the software more resilient to threats and reducing security risks.

==============================================================

References:

CodeQL: CodeQL (github.com)