Last year, GitHub released code scanning, which enables developers to incorporate security checks into their CI/CD environment and developer workflow. This post demonstrates the basics of using CodeQL, the analysis engine behind code scanning, with GitHub Actions.

What is CodeQL?

CodeQL is an analysis engine that automates security checks by running queries against a database generated from your codebase. This CodeQL database is created during the build process and represents the source code in relational form. By default, code scanning runs standard CodeQL queries written by GitHub researchers and the community, but you can also author your own custom queries.

The default set includes queries such as “Pointer overflow check”, “Potentially overflowing call to snprintf”, “Uncontrolled format string”, and more.

Setting up CodeQL with GitHub Actions

Code scanning with CodeQL is free for public repositories, and is part of GitHub Advanced Security for GitHub Enterprise. Here are instructions for the quick, 4-click setup process. Alternatively, I’ve included a gif of the steps below:

And just like that, you’re off to the races! The default CodeQL analysis workflow is configured to analyze your code each time you push a chance or raise a pull request against the default branch. This means code scanning automatically happened after I committed the new file directly to the main branch.

Baselining

Sometimes, especially for large legacy codebases, the number of alerts can be overwhelming. For that reason, CodeQL only shows new/fixed alerts in pull requests. If you want to manage existing alerts, you can do so in the “Code scanning alerts” section under the “Security” tab.

#c++ #github actions #cplusplus