About Advanced Setup for Code Scanning

Advanced setup for code scanning is ideal when you need a tailored approach to securing your codebase. By crafting and modifying a workflow file, you can customize the scanning process extensively. This includes specifying how to compile languages, selecting specific CodeQL queries to execute, choosing which languages to analyze, leveraging matrix builds for efficiency, and more. Additionally, you gain full control over workflow settings, such as adjusting the scan frequency, setting custom triggers, or assigning specialized runners for optimized performance.

Note: This blog is the 2^nd part of our series on Code Scanning in GitHub using CodeQL. To navigate directly to a specific section, please refer to the links below:

1. 1. 1. Secure Your Code with GitHub Code Scanning and CodeQL
   2. 2. Elevate Code Security with GitHub Code Scanning and Tailored CodeQL Custom Queries
   3. 3. Boost Code Security with GitHub Code Scanning Using Third-Party Actions

Part 2: Enabling Code Scanning: Advanced Setup 

The advanced setup gives you more control of custom workflows, specific queries, or third-party tools. Here’s how to set it up:

1. Go to Settings Tab: In your repo, click the Settings tab. If it’s not visible, use the dropdown menu.

2. Navigate to Security: In the left sidebar, under “Security,” click Code Security.

3. Start Setup: In the “Code Security” section, locate Code Scanning section under it in CodeQL analysis click on Set up, then choose Advanced.

4. Edit the Workflow: A codeql.yml file opens. Customize it, adjust triggers (e.g., on:push), languages, or queries or leave it as is for defaults.

5. Commit the File: Click Commit changes, add a message, and choose to commit directly to the default branch or create a pull request.

6. Run It: Once committed, the workflow starts scanning based on your config.

When It Runs: By default, it scans on pushes to the default/protected branches and pull requests. You can tweak this in the workflow file.

Key Points to Understand When Configuring CodeQL Advanced Setup

1. Familiarity with GitHub Actions: You’ll need a basic grasp of GitHub Actions to customize the workflow effectively.

2. Required Workflow Permissions: Ensure these permissions are set in your workflow file:

1. 1. a. security-events: write – To log scan results.
      b. packages: read – To access dependencies.
      c. actions: read – To run the workflow.
      d. contents: read – To scan your code.

3. Core CodeQL Actions: Use these specific versions in your codeql.yml:

1. 1. a. github/codeql-action/init@v3 – Initializes the CodeQL setup.
      b. github/codeql-action/analyze@v3 – Runs the analysis.

4. Build Mode Options: Choose the right build mode (e.g., autobuild for automatic detection or manual for custom build steps).

Recommendations

For those new to code scanning or managing multiple repositories, starting with the default setup is advisable. The default configuration simplifies the process by quickly generating a CodeQL database and analyzing your code, allowing you to address alerts promptly. Once initial issues are resolved, transitioning to an advanced setup is recommended for high-risk repositories. This allows for a manual build process, offering greater control and precision in vulnerability detection.

Scaling Advanced Setup with CodeQL 

When implementing advanced setup across large or numerous repositories, automation and optimization become critical. For instance, you can use a centralized workflow to manage CodeQL scans for multiple repositories, reducing manual overhead. This approach allows you to define a reusable workflow that triggers scans based on specific events, such as code pushes or pull requests, ensuring consistent security checks across projects.

Viewing Code Scanning Results

As discussed in our previous blog on the Default Setup for code scanning as well (we highly recommend checking it out for a solid foundation if you haven’t already. Click here to dive in!)

Once you’ve activated code scanning in your GitHub repository such as our example, Instance-Security repo you’ll want to review the results to identify any vulnerabilities or issues uncovered.

Here’s a simple guide to accessing and understanding your results:

1. Navigate to Your Repository: Open your GitHub repo in a browser. For this blog, we’re using Instance-Security repo.

2. Visit the Security Tab: Click the Security tab at the top of the repository. If it’s not visible, check the dropdown menu to locate it.

3. Access Code Scanning Alerts: In the left sidebar, under “Vulnerability alerts,” select Code scanning to view all alerts generated by your scans.

4. Browse the Alert List: You’ll see a summary of alerts, each detailing the issue type (e.g., “Cross-Site Scripting”), severity (low, medium, high), and more.

5. Explore Alert Details: Click on any alert for a deeper look, including a description, the affected code snippet, and possible fixes (when provided).

6. Filter or Sort (Optional): If you have many alerts, use the search bar or filters (e.g., by severity or branch) to focus on specific results.

7. Act on Findings: Address the issue by fixing the code directly from the alert or dismiss it with a reason, such as False Positive (invalid alert), Used in Tests (not in production), or Won’t Fix (not applicable).

Conclusion on Code Scanning with Advance CodeQL Setup 

In this blog, we’ve explored Advanced CodeQL setup and its power for deeper customization and control in code scanning. Next, we’ll dive into enhancing your setup with custom query packs. Curious to learn more? Click here!

Canarys Automations, honored as GitHub’s Channel Platform Partner of the Year 2024, is ready to guide you in mastering GitHub best practices. To gain more insights or receive expert support, get in touch with us.