A blog icon.

Now We’re Cooking with GHAS! Getting Started with CodeQL and Code Scanning in GitHub Advanced Security

This blog post is an introduction to CodeQL and how you can get started with code scanning in GitHub Advanced Security (GHAS).
A complete workflow run in GitHub Actions with Github and CodeQL logos overlaid on top.

If you ranked everything that a developer had to worry about, how high would you rank security? How high do you think they rank security? I’d guess probably lower than it should be. Why does it matter? Cybersecurity is a growing concern and companies are trying to take a stand while continuing to innovate at the quickest pace they can. Enter GitHub Advanced Security. A GitHub Advanced Security (GHAS) license enables code scanning, secret scanning, and dependency review within GitHub Enterprise organizations. You’re not counted out if you don’t have an Enterprise organization since public repositories can make use of these tools. All of these tools work inside of the code repository to help development, operations, and security teams build secure applications starting at the beginning of the Software Delivery Life Cycle. This blog post will introduce GitHub’s CodeQL, show how it can get you moving with code scanning in GitHub Actions, and provide some key points to help you find topics you’re interested in learning about.

What is CodeQL?

CodeQL is a security-focused semantic code analysis engine designed to help discover vulnerabilities in a codebase. It treats your code as data by building a database that can be queried for vulnerabilities. The scan is considered positive when a query returns a result. There are standard queries created by GitHub, the community, and security researchers that make getting started easy. If there are specific queries your company needs then you can create your own queries to be run against the database.

Code scanning alerts show up in the Security tab of GitHub repository.
Code scanning alerts show up in the Security tab of GitHub repository.

CodeQL can be used in conjunction with GHAS’ Code Scanning capabilities to work within the repository. For example, you can automatically run on a pull request (PR) using GitHub Actions to make sure that changes to the codebase do not introduce new vulnerabilities. This is excellent! Not only that, new vulnerabilities are discovered regularly and having a scheduled workflow can help find vulnerabilities that weren’t previously being searched for. Both scenarios provide actionable feedback and help the team keep their application code secure.

CodeQL Action running as a check on PR
CodeQL Action running as a check on PR

Where should I start with CodeQL?

This is a real cool tool but how do you get started? LGTM is a code security analysis platform created by Semmle, a company who joined GitHub in 2019. You can try out CodeQL queries on the LGTM site to see how they function. This is a great place to start if you aren’t sure what CodeQL does. The screenshot below shows the first sample query but there are many — including some more advanced examples — to look through.

LGTM.com query console to try out queries
LGTM.com query console to try out queries

Get Code Scanning with CodeQL Setup in Actions

So you’ve tried it out a bit and want to try it on your own code but what’s the easiest way to do that? GitHub Actions workflows will get you going quickly. You can start adding it to repositories once you have a basic understanding of how CodeQL itself works. I added it to some personal projects just to try it out first. Go to the Security Tab on the repository you would like to run the code scan then click Set Up Code Scanning. The screen after shows a large Configure CodeQL alerts button that will take you to an on-site workflow editor.

Security Tab has option to set up code scanning alerts
Security Tab has option to set up code scanning alerts
Configure CodeQL alerts option
Configure CodeQL alerts option
Set up the CodeQL Workflow
Set up the CodeQL Workflow

The base workflow that is generated works as a good starting point for our codescanning experience. A few things to note about the workflow:

  • It is going to set up triggers for pushes to main, pull requests to main, and a scheduled cron which will be randomly generated to help minimize the traffic/slowdown on actions.
  • It is going to add languages to the configuration based on what is in the repo.
  • The workflow includes init, autobuild, and analyze which can be found in the CodeQL Action.
  • This is not the only way to create this workflow but it is an awesome way to start learning.
A Complete Workflow run in GitHub Actions.
A Complete Workflow run in GitHub Actions.

I always like those little repository/README touches that make repos stand out — so naturally I opened a PR to add a workflow status badge to README. If you would like to see an example feel free to check out our liatrio-enterprise/github-policy-service.

Workflow Status Badge for CodeQL workflow
Workflow Status Badge for CodeQL workflow

Going Further with CodeQL

Want to keep going? You can look into the CodeQL CLI. This tool powers the CodeQL Action and can also be used locally or on other continuous integration servers like Jenkins. This allows you to build CodeQL databases and run queries against said databases which is awesome for local development! The GitHub and community packs are a great place to start but there may be situations where you need to create your own queries to catch issues within your codebase. The video below shows the creation of a CodeQL database and a subsequent analysis running locally on my machine.

Visual Studio Code also has a CodeQL Extension that can help you to write and test custom queries.

CodeQL Extension in the VSCode Sidebar
CodeQL Extension in the VSCode Sidebar

This is just the Beginning

I hope the benefits of Code Scanning and CodeQL are starting to set in a bit and that you have an idea of where to start. Liatrio believes enterprises will continue to adopt and scale GitHub Advanced Security and we plan on writing more to share our thoughts with you. This toolset will provide developers with another method of tracking down vulnerabilities to secure code while continuing to move at the speeds your organization needs.

Share This Article

Have a question or comment?

Contact uS
The Liatrio logo mark.
The Liatrio logo mark.

About Liatrio

Liatrio is a collaborative, end-to-end Enterprise Delivery Acceleration consulting firm that helps enterprises transform the way they work. We work as boots-on-the-ground change agents, helping our clients improve their development practices, react more quickly to market shifts, and get better at delivering value from conception to deployment.