Introduction
Imagine that you're a developer with administrator permissions for a GitHub repository. You want to automate security checks. These steps help you analyze your releases for any vulnerabilities. Luckily, your organization purchased GitHub Advanced Security. Your GitHub Advanced Security license enables you to accomplish these tasks by using CodeQL.
CodeQL is a tool for analyzing the code in your GitHub repository and identifying security vulnerabilities. It's available for public repositories and private repositories that your organization owns. CodeQL supports many languages for analysis, including C/C++, Java, and Python.
Learning objectives
In this module, you will:
- Install the CodeQL command-line interface (CLI) from the page for GitHub CodeQL releases.
- Create a database by using CodeQL to extract a single relational representation of each source file in the codebase.
- Run CodeQL in a database to find problems in your source code and find potential security vulnerabilities.
- Analyze CodeQL scan results by using GitHub-created queries or your own custom queries.
Prerequisites
- Basic knowledge of GitHub Actions
- Familiarity with GitHub code scanning
- Administrative access to a repository
- Familiarity with SQL, Prolog, and Datalog