Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL workflow for JavaScript, Java, C#, Go, Ruby, Python #45

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

cko-developer-portal[bot]
Copy link

Why has this PR been raised?

The Engineering Experience and Security teams have been working together to help secure our repositories. This includes enabling Github features such as Advanced Security and Secret Scanning.

This PR is to add a Github Actions workflow for running CodeQL.

What is CodeQL?

CodeQL is the analysis engine used by developers to automate security checks, and by security, researchers to perform variant analysis.

In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.

See more details here.

What does my team need to do?

To run this workflow you might need to make a few changes to this file.

Some changes are:

  • Allow GitHub actions created by GitHub in all repositories following this guide
  • Add any other branches you wish to scan
  • Exclude any test files or projects you do not wish to scan

Running on public runners

CodeQL workflow is pre-configured to run on self-hosted runners associated with your organization by default.
If organization does not have any self hosted runners, submit a request via Fresh Service(GitHub Organisation Self Hosted Runners Onboarding).

However, as an exception or in case of unforeseen failure you can update your workflow to run on public runners.

  • Change the runs on: [...] to runs on: [ubuntu-latest]
  • Prepare/build your application the way you would do normally so that CodeQL can analyze it
  • Make sure your self-hosted runners satisfy CodeQL resource requirements

What should we do if we have any problems with this?

If you encounter any issues, please message the #ask-security channel, a Security Champion in your team or Engineering area, or Application Security (Andra Lezza)

Why has this PR been raised again, we closed the last one.

If your repo is not part of an exemption list and has been tagged as needing to be scanned, you will need to first merge the codeql-analysis*.yml file and kick off a code scan before closing the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

0 participants