Code scanning with GitHub Advanced Security
GitHub Advanced Security is available for all users in the Gjensidige GitHub organization. It's an important tool for Shifting security left and increase confidence when shipping code to Production. That being said, you should never rely solely on automation to secure your application. Security should be incorporated in every step of your development workflow, and you should always keep up to date with the latest security practices, for example by getting familiar with OWASP Top 10 Web Application Security Risks 🔒
- Static application security testing (SAST) should be performed for all code, before it is released to Production
- Development teams are responsible for implementing and maintaining SAST for their code
- Development teams are responsible for correcting security weaknesses that are detected by SAST
Prerequisites
- A repository on GitHub
- All private dependencies for your application in GitHub Packages if your are using a compile language (e.g. C/C++, C#, or Java)
- GitHub Code Scanning enabled in your repository
About CodeQL
GitHub Advanced Security uses CodeQL for running Static Code Analysis. CodeQL is an Open Source project that is maintained by a dedicated security team at GitHub, as well as contributors from the Open Source community. You can dive into the code behind CodeQL in their GitHub repo.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
Read more about CodeQL in the official docs or at GitHub Security Lab. You should also check Supported languages and frameworks before implementing code scanning.
Kotlin is currently not supported by GitHub Advanced Security code scanning. There are currently no recommendations for Kotlin - if you know about a good alternative, please let us know! 🙏 🌟
Scan your code
The easiest way to configure Code Scanning is to follow GitHub's official guide. This will auto generate a workflow in your repo with sensible defaults. It's important to note that the autobuild
step is only necessary for compiled languages like C/C++, C#, or Java. You can omit this step for non-compiled code like JavaScript. autobuild
is not guaranteed to work, so you might need to replace it with custom build steps to compile your application before running the analyze
step.
You can also use the following GitHub Actions workflow, but we don't guarantee this is up to date with the latest features. Consider the comments before you copy it into your repo:
name: "CodeQL"
on:
push:
branches: "main"
pull_request:
branches: "main"
schedule:
- cron: "00 03 * * 1" # At 03:00 every Monday
jobs:
analyze:
name: "Analyze"
runs-on: "ubuntu-latest"
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["javascript"] # Update this
# CodeQL currently supports ["cpp", "csharp", "go", "java", "javascript", "python"]
steps:
- name: "Checkout repository"
uses: "actions/checkout@v2"
- name: "Initialize CodeQL"
uses: "github/codeql-action/init@v1"
with:
languages: ${{ matrix.language }}
# Autobuild attempts to build any compiled languages in general C/C++, C#, or Java
# If this step fails, then you should remove it and add working build steps for your application instead
# You can remove this step for non-compiled languages like JavaScript
- name: "Autobuild"
uses: "github/codeql-action/autobuild@v1"
- name: "Perform CodeQL Analysis"
uses: "github/codeql-action/analyze@v1"
Configuration
GitHub Code Scanning offers multiple configuration options beyond the default setup described above. You can for example add your own configuration file or write your own code scanning queries on top of the main CodeQL engine. Read all about the different configuration options in the official documentation 🛠