• preface

Thanks to Github’s strong technical strength and thriving community, Github provides a strong guarantee for the security of managed code and an effective scanning tool. Today, we take a look at CodeQL, a common scanning tool in the industry, and how to use it. We can use these code scanning tools to find security holes and code errors in time before the product goes live.

  • Code review example

  • Error Check Details

  • Example of high-risk Vulnerabilities

  • CodeQL introduction
    • about
      • Code query language
      • Industry-leading code semantic analysis engine
      • Developers can write rules to check for security holes, code bugs, errors, and so on in the code base
      • You can also use a common query language provided by the community
      • Support variation analysis
      • Security vulnerabilities, bugs, and errors are modeled as executable queries
    • Step overview
      • By creating a CodeQL database based on code
      • Run CodeQL queries against the database
      • Explaining query Results
    • Key steps
      • Database creation
        • Start by extracting a single relationship to identify each source file in the code base
        • For compiled languages, this is extracted by monitoring the normal build process. The compiler collects copies of source files and related information as it processes them
        • For interpreted languages, it is directly based on source code extraction
        • Each language CodeQL supports has an extractor to ensure that the provision is as accurate as possible. For multilingual code, only one database is generated at a time
        • After extraction, all the data used for analysis (relational data, source file copies, language-specific database schema-specifying relationships between data) is imported into a directory, known as a CodeQL database
      • CodeQL database Example (Java)
        • Expressions table: Rows contain a table from the source code analyzed during the build process
        • Statements: Rows contain a statement in the source code analyzed during the build process
    • CodeQL database summary
      • Contains queryable data extracted from the code base, including a comprehensive hierarchical representation of the code (abstract syntax tree, data flow diagram, control flow diagram)
      • Each language has its own unique database schema that defines the relationship to create data; for example, each language has a table for each
      • Each language provides an abstract representation based on database tables, an object-oriented view of data that makes it easier to write queries
    • Support language
      • C/C++
      • Java
      • Go
      • Python
      • JavaScript
    • How to write a query language
      • See the tutorial on the official website
  • Making configuration CodeQL

    1. Github ->Repository ->Security

    2. Set up code scanning

    3. Set up this workflow

    4. Customize Workflow

    ``` name: "CodeQL" on: push: branches: [ main ] pull_request: # The branches below must be a subset of the branches above branches: [ main ] schedule: - cron: '0 0 * * *' jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: [ 'java' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] # Learn more: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configur ing-code-scanning#changing-the-languages-that-are-analyzed steps: - name: Checkout repository uses: actions/checkout@v2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 ```Copy the code
    • Submit set
  • Other Security Configurations

    * Security and Licence Scan 

    name: Scan # This section configures the trigger for the workflow. Feel free to customize depending on your convention on: Pull_request: jobs: scan-build: runs-on: ubuntu-20.04 Steps: -uses: actions/checkout@v1 - name: Cache multiple paths uses: actions/cache@v2 with: path: | ${{ github.workspace }}/db key: ${{ runner.os }}-${{ hashFiles('requirements*.txt') }} - name: Perform Scan uses: ShiftLeftSecurity/scan-action@master env: VDB_HOME: ${{ github.workspace }}/db WORKSPACE: "" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: output: reports - name: Upload report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: reportsCopy the code
    • Scan results

  • Set the sample

Hango gateway-portal