What is Code Scanning?

Code scanning is a GitHub feature designed to help developers identify security vulnerabilities and coding errors in their projects before they become bigger problems. It analyzes your code automatically, flags potential issues like SQL injection or cross-site scripting (XSS), and displays them as alerts right in your repository. Picture it as a safety net for your code grabbing risks early so you can handle them fast. It’s available for public repositories for free and for private ones through GitHub Advanced Security. 

You can trigger scans on every push, pull request, or set a custom schedule. Whether you use GitHub’s CodeQL or plug in a third-party tool, it’s seamless, fast, and keeps your project secure without breaking your workflow.

A Bit About CodeQL Code Scanning 

CodeQL is the powerhouse behind GitHub’s native code scanning. It’s a code analysis engine built by GitHub to dig deep into your codebase and spot vulnerabilities with precision. Unlike traditional tools, CodeQL treats your code like data, letting you query it to find specific issues almost like searching a database for bugs. 

Here’s the gist:  

1. 1. How it Works: CodeQL creates a database of your code, then runs queries (written by GitHub experts, security researchers, or the community) to detect problems. Results show up as alerts in GitHub.  

1. 2. Supported Languages: It handles popular languages like JavaScript, Python, Java, C#, and more both compiled and interpreted.  

1. 3. Why It’s Cool: The queries are open-source (check out the github/codeql repo), so you can tweak them or add your own. Plus, it’s constantly updated to catch the latest threats.  

1. 4. Setup Options: You can go with a quick default setup, a customizable advanced setup via GitHub Actions, or even run it externally and upload results. 

With CodeQL, you’re not just scanning you’re proactively securing your project with a tool trusted by developers worldwide. It’s developer-friendly, GitHub-native, and a game-changer for keeping vulnerabilities at bay. 

Note: This blog is the 1^st part of our series on Code Scanning in GitHub using CodeQL. To navigate directly to a specific section, please refer to the links below: 

1. 1. Enhance Code Security with GitHub Code Scanning and Advanced CodeQL Setup  
2. 2. Elevate Code Security with GitHub Code Scanning and Tailored CodeQL Custom Queries  
3. 3.Boost Code Security with GitHub Code Scanning Using Third-Party Actions

Part 1: Enabling Code Scanning: Default Setup 

The default setup is the fastest way to get CodeQL to scan your code with minimal effort. Here’s how to enable it:  

1. Go to Your Repository: Open your GitHub repo in a browser. Here we’re using Instance-Security Repo in our example.

2. Access Settings: Click the Settings tab under your repo name. If you don’t see it, use the dropdown menu to find it.

3. Navigate to Security: In the left sidebar, under “Security,” click Code Security.

4. Start Setup: In the “Code Security” section, locate Code Scanning section under it in CodeQL analysis click on Set up, then choose Default.

5. Review Configuration: A “CodeQL default configuration” dialog pops up, showing what’ll be scanned (languages, triggers). Since in our case it’s a Java/Maven project, it’ll detect that automatically. Optionally, tweak the query suite or languages.

6. Enable It: Click Enable CodeQL. This kicks off a test scan to confirm everything works.

When It Runs: Scans happen on pushes to the default or protected branches, pull requests (not from forks), and weekly by default. If a language fails, it’s dropped from the config, but scanning continues for what works. 

Viewing Code Scanning Results 

Once you’ve enabled code scanning in your GitHub repository like our example in Instance-Security Repo you’ll want to check the results to see what vulnerabilities or issues were found. Here’s how to view them clearly and easily: 

1. Go to Your Repo: Open your GitHub repository in a browser for this guide, here it’s Instance-Security.

2. Head to the Security Tab: Click the Security tab at the top of the repo. If it’s not visible, use the dropdown menu to find it.

3. Find Code Scanning Alerts: In the left sidebar, under “Vulnerability alerts,” click Code scanning. This shows all alerts from your scans.

4. Review the List: You’ll see a list of alerts each one includes the issue type (e.g., “SQL Injection”), severity (low, medium, high) etc.

5. Dive into Details: Click an alert to see more description, affected code snippet, and suggested fixes (if available).

6. Filter or Sort (Optional): Use the search bar or filters (e.g., by branch or severity) to narrow down results if you’ve got lots of alerts.

7. Take Action: Fix the code directly from the alert or dismiss it with a reason: False Positive (alert invalid), Used in Tests (not in production), or Won’t Fix (not relevant). 

Conclusion on Code Scanning with Default CodeQL Setup 

Code scanning on GitHub is a powerful way to keep your codebase secure and reliable. With tools like CodeQL, you can catch vulnerabilities early whether through a quick default setup. Want to take it further with a more tailored and powerful setup? Check out our advanced CodeQL setup guide for a deep dive into custom queries, enhanced security analysis, and more! 

Canarys Automations, named GitHub’s Channel Platform Partner of the Year 2024, is here to help you master GitHub practices. For more information or expert guidance, reach out to us.