GitHub’s code scanning helps identify vulnerabilities and errors in your codebase, and while CodeQL is a powerful built-in option, you can also integrate third-party tools for a tailored approach. Configuring code scanning with third-party actions allows you to leverage tools like SonarQube, Checkmarx, or Trivy within GitHub Actions workflows. By uploading results in SARIF format, these tools seamlessly display alerts alongside native GitHub scans, streamlining your security process. This flexibility is perfect for teams already using external analysis tools, ensuring all findings are centralized in GitHub’s Security tab for easy management. 

Note: This blog is the 4^th part of our series on Code Scanning in GitHub using CodeQL. To navigate directly to a specific section, please refer to the links below: 

1. 1. Secure Your Code with GitHub Code Scanning and CodeQL  
2. 2. Enhance Code Security with GitHub Code Scanning and Advanced CodeQL Setup  
3. 3. Elevate Code Security with GitHub Code Scanning and Tailored CodeQL Custom Queries

Configuring Code Scanning with Third-Party Actions 

Here’s how to set it up: 

1. Go to Your Repository: Open the main page of the repo on GitHub, in our case its Instance-security.
2. Select Actions: Click the Actions tab below the repository name.

3. Start a New Workflow: If workflows are already set up, click New workflow to see templates. If none exist, proceed directly to the next step.

4. Pick a Security Workflow: In the “Choose a workflow” or “Get started with GitHub Actions” section, scroll to the Security category, then click Configure on your chosen workflow. Use View all if needed to locate it.

5. Customize the Workflow: Follow the workflow’s instructions to tailor it to your needs. For extra help, click Documentation on the right side of the workflow page.

6. Save the Workflow: Once customized, commit the workflow file to your default branch.

When It Runs: Depends on the tool’s workflow typically on pushes or pull requests. Check the tool’s docs for details.

Conclusion on Code Scanning with GitHub 

Code scanning on GitHub is a powerful way to keep your codebase secure and reliable. With tools like CodeQL, you can catch vulnerabilities early whether through a quick default setup, a tailored advanced setup, or third-party integrations. For our Instance-security Java project, it proved its worth by flagging issues like unsafe logging with precision. It’s a must-have for any developer serious about code quality and security, seamlessly blending into your GitHub workflow.  

Canarys Automations, named GitHub’s Channel Platform Partner of the Year 2024, is here to help you master GitHub practices. To gain deeper insights or receive expert guidance, contact us.