What is CodeQL?
CodeQL is a code analysis engine and query tool for running security vulnerability checks to find out vulnerabilities across a repository. CodeQL treats code like data. When we run CodeQL, it extracts a single relational representation of each file in the codebase to create CodeQL database. Then it runs queries against the database to find out security vulnerabilities, bugs and other errors. Finally, it converts query results and highlights potential issues that needs fixing.
At present, CodeQL supports C++, C#, Python, Java, JavaScript, Go, Ruby languages.
In this quick start demo we are going to use a simple python application using Flask framework.
To demonstrate how CodeQL find outs vulnerabilities and errors, we are intentionally printing a dummy password in our code.
from flask import Flask
app = Flask(__name__)
password = "xyz"
@app.route("/")
def hello():
print(password)
return "Hello, This is CodeQL demo!"
if __name__ == "__main__":
app.run()you can clone the demo repo locally to take a closer look.
we are going to use following workflow definition(.github/workflows/codeql.yml) for CodeQL security check as a GitHub action.
name: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '36 18 * * 6'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2When we commit the code, GitHub actions will trigger a workflow for CodeQL security scanning. see below screen shots.
Once CodeQL analysis is finished, results will be published to GitHub repo’s Security section.. see below screen shots.
Under Security tab you can see there is an alert
Click on “Code scanning alerts” to see the last scan results and open issues.
If you click on Open issue you can see more details about the scanning alert.
Once we fix the password print issue and merge the code, the alert will be closed in “Code scanning alerts” section automatically.
Conclusion
In this quick demo, we have covered what is CodeQL and how to use it to scan git repo code base. For further information you can read official documentation.
Find out about similar Security Scanning Tools: