├── Dockerfile.example ├── GHAS-on-GHES-feature-matrix.md ├── README.md ├── advanced-security-material.md ├── advanced-security └── training-agenda.md ├── code-scanning-guides ├── integrations │ └── code-scanning-third-party-integrations.md ├── sandwich-tracing.md ├── setup-codeql-cli.md ├── synthetic-applications │ ├── README.md │ ├── juice-shop.md │ ├── juice-shop.yml │ ├── owasp-webgoat.md │ └── owasp-webgoat.yml └── uploading-pr-analysis.md ├── code-scanning-scripts ├── README.md ├── combine-n-databases.sh ├── get-languages.sh └── run-pr-codeql-analysis.sh ├── code-scanning-workflows ├── azure-pipeline-00.yml └── reusable_code_scanning-00.yml ├── codeql ├── JSP-scanning.md ├── ast-graph-generation.md └── uniform-setup-for-cli-and-vs-code.md ├── reporting ├── advanced-security-reporting.md ├── ghes-mysql-connect.md └── issues_csv │ ├── README.md │ ├── code_scanning.jq │ ├── dependabot.jq │ ├── reporting.ps1 │ └── secret_scanning.jq ├── secret-scanning ├── secret-scanning-rollout-guidance.md └── user-defined-patterns-considerations.md └── troubleshooting ├── codeql-builds ├── bazel.md ├── compiled-languages-cpp.md ├── compiled-languages-csharp.md ├── compiled-languages-go.md ├── compiled-languages-java.md ├── compiled-languages-swift.md ├── compiled-languages.md ├── interpreted-languages-javascript.md ├── interpreted-languages-python.md └── interpreted-languages.md ├── dependabot └── failed-codeql-analysis.md └── sarif-upload └── troubleshooting.md /Dockerfile.example: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | LABEL description="Security & Quality CodeQL Container Build for Cool Applications" 3 | SHELL ["/bin/bash", "-c"] 4 | ENV TZ=America/New_York 5 | 6 | # create directories 7 | RUN mkdir /tools 8 | 9 | # setup tools 10 | RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone 11 | RUN DEBIAN_FRONTEND="noninteractive" apt-get update && apt-get install -y golang zip wget 12 | RUN wget -q https://github.com/github/codeql-action/releases/download/codeql-bundle-20211005/codeql-bundle-linux64.tar.gz 13 | RUN tar xzf /codeql-bundle-linux64.tar.gz -C tools 14 | 15 | # copy source 16 | COPY . /usr/src/myapp 17 | 18 | # set working directory 19 | WORKDIR /usr/src/myapp 20 | 21 | # example repo used: https://github.com/ghas-bootcamp/ghas-bootcamp 22 | 23 | # codeql create 24 | RUN /tools/codeql/codeql database create db --language=javascript, java --db-cluster --no-run-unnecessary-builds -vvvv 25 | 26 | # codeql analyze with default queries 27 | RUN /tools/codeql/codeql database analyze codeql-database/go go-code-scanning.qls --format=sarif-latest --output=codeql-go-results.sarif --sarif-category=goiscool 28 | RUN /tools/codeql/codeql database analyze db javascript-code-scanning.qls --format=sarif-latest --output=codeql-javascript-results.sarif --sarif-category=javascriptiscool 29 | 30 | # upload results 31 | # remember to get the MERGE commit for a PR 32 | RUN /tools/codeql/codeql github upload-results --github-url= --repository=oreos/miniature-invention --ref=refs/pull/1/merge --commit=778337f84a5abe2cda468c7abf6038b8a193cea2 --sarif=codeql-go-results.sarif --github-auth-stdin= 33 | RUN /tools/codeql/codeql github upload-results --github-url= --repository=oreos/miniature-invention --ref=refs/pull/1/merge --commit=778337f84a5abe2cda468c7abf6038b8a193cea2 --sarif=codeql-javascript-results.sarif --github-auth-stdin= 34 | -------------------------------------------------------------------------------- /GHAS-on-GHES-feature-matrix.md: -------------------------------------------------------------------------------- 1 | # GitHub Advanced Security (GHAS) Feature Matrix 2 | 3 | This document helps answer the question "is this GHAS feature available in my version of GitHub Enterprise Server?". 4 | 5 | The following tables include notable feature releases for GitHub Advanced Security. Each row represents a feature. The columns in the row indicate the level of support for each **supported** Enterprise Server release. Are your repositories hosted on github.com? All of these features are already available for you :+1:. 6 | 7 | #### Contents 8 | - [GitHub Advanced Security (GHAS) Feature Matrix](#github-advanced-security-ghas-feature-matrix) 9 | - [Contents](#contents) 10 | - [How do I read this document?](#how-do-i-read-this-document) 11 | - [Release notes](#release-notes) 12 | - [Secret scanning](#secret-scanning) 13 | - [Code scanning](#code-scanning) 14 | - [Supply-chain security](#supply-chain-security) 15 | - [Dependabot Alerts](#dependabot-alerts) 16 | - [Dependabot Updates](#dependabot-updates) 17 | - [Dependency Review and submission API](#dependency-review-and-submission-api) 18 | - [Security Overview](#security-overview) 19 | - [Administration](#administration) 20 | - [Dependencies](#dependencies) 21 | 22 | #### How do I read this document? 23 | Each section of this document represents a different capability of the GitHub security features. Each row in the tables represent a different feature of GHAS. The columns indicate if that feature is available in each version of GitHub Enterprise Server. 24 | 25 | Cells with ☑️ indicate beta support. ✅ indicates full support. 26 | 27 | ## Release notes 28 | * [Releases of GitHub Enterprise Server](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server) 29 | 30 | |Version |3.4 |3.5 |3.6 |3.7 |3.8 |3.9| 3.10|3.11|3.12|3.13|3.14|3.15|3.16| 31 | |---------|-----|-----|-----|-----|-----|-----|----|----|----|----|----|----|----| 32 | |Release date| 2022-02-15 | 2022-05-10 | 2022-07-26 |2022-10-25 |2023-02-07 | 2023-06-08 | 2023-08-08 | 2023-11-14 | 2024-02-13 | 2024-06-18 | 2024-08-06 | 2024-11-12 | 2025-02-25 33 | |Deprecation date | 2023-03-23 | 2023-06-29 | 2023-08-16 | 2023-11-08 | 2024-03-07 | 2024-06-29 | 2024-08-29 | 2024-12-05 | 2025-03-05| 2025-07-18 | 2025-08-27 | 2025-12-19 | 2026-03-11 34 | || [Release notes](https://docs.github.com/en/enterprise-server@3.4/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.5/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.6/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.7/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.8/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.9/admin/release-notes)|[Release notes](https://docs.github.com/en/enterprise-server@3.10/admin/release-notes) | [Release notes](https://docs.github.com/en/enterprise-server@3.11/admin/release-notes) | [Release notes](https://docs.github.com/en/enterprise-server@3.12/admin/release-notes) | [Release Notes](https://docs.github.com/en/enterprise-server@3.13/admin/release-notes)| [Release Notes](https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.0) | [Release Notes](https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.0) | [Release Notes](https://docs.github.com/en/enterprise-server@3.16/admin/release-notes) 35 | 36 | ## Secret scanning 37 | Secret scanning identifies plain text credentials inside your code repository. Learn more about secret scanning 38 | * [Secret scanning documentation](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/about-secret-scanning) 39 | * [Secret scanning API documentation](https://docs.github.com/en/enterprise-server/rest/secret-scanning?apiVersion=2022-11-28) 40 | 41 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 | 3.10 | 3.11 | 3.12 |3.13| 3.14|3.15|3.16| 42 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| 43 | |[Partner pattern count](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/secret-scanning-patterns)|155|169|173|173|183|200|218|233|249|274|274|274|286|289| 44 | |[User defined (custom) patterns](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 45 | |[Enterprise level API for secret scanning](https://docs.github.com/en/enterprise-server/rest/secret-scanning?apiVersion=2022-11-28#list-secret-scanning-alerts-for-an-enterprise)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 46 | |[Secret scanning push protection](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/protecting-pushes-with-secret-scanning)||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 47 | |[Dry runs for secret scanning push protection (repo level)](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 48 | |[Secret scanning support for archived repos](https://github.blog/changelog/2022-02-16-secret-scanning-now-supports-archived-repositories/)||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 49 | |[Custom pattern events in the audit log](https://github.blog/changelog/2022-04-06-secret-scanning-custom-pattern-events-now-in-the-audit-log/)||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 50 | |[Push protection events in the audit log](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#secret_scanning_push_protection-category-actions)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 51 | |[Push protection in the web editor](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/protecting-pushes-with-secret-scanning#using-secret-scanning-as-a-push-protection-from-the-web-ui)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 52 | |[Enable secret scanning at the enterprise level](https://github.blog/changelog/2022-10-06-enable-secret-scanning-for-an-enterprise-with-one-click/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 53 | |[Dry runs for secret scanning custom patterns (org level)](https://github.blog/changelog/2022-02-11-secret-scanning-dry-runs-for-repository-level-custom-pattern/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 54 | |[Email notification for push protection bypass](https://github.blog/changelog/2022-07-27-secret-scanning-admins-now-receive-emails-when-contributors-bypass-a-push-protection-block/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 55 | |[Custom links in push protection notification](https://github.blog/changelog/2022-08-24-secret-scanning-admins-can-now-provide-a-link-to-display-when-a-push-is-blocked/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 56 | |[View secret scanning enablement status at the org-level via API](https://github.blog/changelog/2021-08-24-secret-scanning-org-level-rest-api/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 57 | |[Enable secret scanning at the enterprise level using the REST API](https://github.blog/changelog/2022-12-13-enable-secret-scanning-with-the-enterprise-level-rest-api/)|||||✅|✅|✅|✅|✅|✅|✅|✅|✅| 58 | |[Add comment when dismissing a secret scanning alert in UI or API](https://github.blog/changelog/2022-09-29-secret-scanning-alerts-now-have-a-timeline-and-users-can-add-a-comment-when-resolving/)|||||✅|✅|✅|✅|✅|✅|✅|✅|✅| 59 | |[Custom pattern creation at the enterprise level](https://docs.github.com/en/enterprise-server/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)||||||✅|✅|✅|✅|✅|✅|✅|✅| 60 | |[Custom pattern alert metrics](https://docs.github.com/en/enterprise-server@3.12/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)|||||||✅|✅|✅|✅|✅|✅|✅| 61 | |[Validity checks for GitHub Tokens](https://docs.github.com/en/enterprise-server@3.12/code-security/secret-scanning/managing-alerts-from-secret-scanning#managing-secret-scanning-alerts)||||||||✅|✅|✅|✅|✅|✅| 62 | |[Secret scanning scans issues](https://docs.github.com/en/enterprise-server@3.12/code-security/secret-scanning/about-secret-scanning#about-secret-scanning)||||||||✅|✅|✅|✅|✅|✅| 63 | |[Push protection metrics in security overview](https://docs.github.com/en/enterprise-server@3.12/code-security/security-overview/assessing-code-security-risk)||||||||✅|✅|✅|✅|✅|✅| 64 | |[Non-provider patterns](https://github.blog/changelog/2023-11-06-secret-scanning-expands-detection-to-include-non-provider-patterns-beta/)|||||||||☑️|☑️|☑️|☑️|✅| 65 | | [User-space secret scanning](https://docs.github.com/en/enterprise-server@3.13/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)||||||||||✅|✅|✅|✅| 66 | | [Push Protection Bypass](https://docs.github.com/en/enterprise-server@3.14/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection) |||||||||||☑️|☑️|✅| 67 | | [Detect secrets leaked in discussions and in pull request titles, bodies, and comments](https://docs.github.com/en/enterprise-server@3.14/code-security/secret-scanning/about-secret-scanning) |||||||||||☑️|✅|✅| 68 | | Push protection on file upload |||||||||||☑️|☑️|✅| 69 | | Audit log events for non-provider patterns |||||||||||✅|✅|✅| 70 | | [Create a push protection bypass API endpoint](https://github.blog/changelog/2024-08-13-secret-scanning-push-protection-is-supported-for-content-upload-rest-api-endpoints/) ||||||||||||✅|✅| 71 | | [Enabling detection of non-provider patterns for an organization](https://docs.github.com/en/enterprise-server@3.15/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns#enabling-detection-of-non-provider-patterns-for-an-organization) ||||||||||||☑️|✅| 72 | | [REST API endpoint for secret scanning scan history](https://docs.github.com/en/enterprise-server@3.16/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#get-secret-scanning-scan-history-for-a-repository) |||||||||||||✅| 73 | 74 | ## Code scanning 75 | Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub. 76 | * [Code scanning documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) 77 | * [Code scanning API documentation](https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28) 78 | 79 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10 |3.11 |3.12|3.13|3.14|3.15|3.16| 80 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|----|----|----|----|----|----|-----| 81 | |[CodeQL "toolcache" Installed Version](https://docs.github.com/en/enterprise-server/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#provisioning-the-actions-for-code-scanning)|2.7.6|2.11.6|2.12.7|2.12.7|2.12.7|2.12.7|2.13.5|2.14.6|2.15.5|2.16.5|[2.17.6](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.17.6/)|[2.18.4](https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#code-scanning)|[2.20.3](https://docs.github.com/en/enterprise-server@3.16/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#provisioning-the-actions-for-code-scanning)| 82 | |[Language support: Python, Javascript, Java, Go, C/C++, C#, Typescript](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 83 | |[Ruby Support](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/)|☑️|☑️|☑️|☑️|✅|✅|✅|✅|✅|✅|✅|✅|✅| 84 | |[Apple M1 support for CodeQL](https://github.blog/changelog/2021-11-10-codeql-now-supports-apple-silicon-m1/)|☑️|☑️|☑️|☑️|✅|✅|✅|✅|✅|✅|✅|✅|✅| 85 | |[Org-wide code scanning alerts via the REST API](https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-an-organization)||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 86 | |[Add comments when dismissing alerts](https://docs.github.com/en/enterprise-server/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#dismissing--alerts)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 87 | |[Code scanning alert comments in the pull request conversation tab](https://github.blog/changelog/2022-06-02-users-can-view-and-comment-on-code-scanning-alerts-on-the-conversation-tab-in-a-pull-request/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 88 | |[Users can publish CodeQL packs to the container registry](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 89 | |[CodeQL query filters to exclude individual queries](https://github.blog/changelog/2022-08-31-code-scanning-customize-your-codeql-analysis-using-query-filters/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 90 | |[Enterprise-wide code scanning alerts via the REST API](https://docs.github.com/en/enterprise-server/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-an-enterprise)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 91 | |[Filter API results by severity](https://github.blog/changelog/2022-11-25-filter-code-scanning-api-results-by-alert-severity/)|||||✅|✅|✅|✅|✅|✅|✅|✅|✅| 92 | |[Kotlin language support](https://github.blog/changelog/2022-11-28-codeql-code-scanning-launches-kotlin-analysis-support-beta/)|||||☑️|☑️|☑️|☑️|☑️|☑️|☑️|✅|✅| 93 | |[Default CodeQL setup](https://docs.github.com/en/enterprise-server/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)||||||✅|✅|✅|✅|✅|✅|✅|✅| 94 | |[Default CodeQL setup via API](https://docs.github.com/en/enterprise-server/rest/code-scanning#update-a-code-scanning-default-setup-configuration)||||||✅|✅|✅|✅|✅|✅|✅|✅| 95 | |["Enable all" functionality at the org level (API and UI)](https://docs.github.com/en/enterprise-server/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)||||||✅|✅|✅|✅|✅|✅|✅|✅| 96 | |[Tool status page](https://docs.github.com/en/enterprise-server/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)||||||✅|✅|✅|✅|✅|✅|✅|✅| 97 | |[View org-level enablement status via the API ](https://docs.github.com/en/enterprise-server/rest/repos/repos?apiVersion=2022-11-28#list-organization-repositories)||||||✅|✅|✅|✅|✅|✅|✅|✅| 98 | |[CodeQL default setup supports compiled languages](https://docs.github.com/en/enterprise-server@3.10/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)|||||||✅|✅|✅|✅|✅|✅|✅| 99 | |[Choose which language to enable or disable in CodeQL default setup](https://docs.github.com/en/enterprise-server@3.10/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)|||||||✅|✅|✅|✅|✅|✅|✅| 100 | |[Filter code scanning alerts by `path` and `language`](https://docs.github.com/en/enterprise-server@3.10/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)|||||||✅|✅|✅|✅|✅|✅|✅| 101 | |[CodeQL supports C# 11](https://github.com/github/roadmap/issues/598)|||||||✅|✅|✅|✅|✅|✅|✅| 102 | |[CodeQL supports Swift programming language](https://github.blog/changelog/2023-06-01-codeql-code-scanning-now-supports-swift-beta/)|||||||☑️|☑️|☑️|☑️|☑️|✅|✅| 103 | |[Default setup automatically adds new repo languages](https://docs.github.com/en/enterprise-server@3.11/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)||||||||✅|✅|✅|✅|✅|✅| 104 | |[Choose query suite with default setup](https://docs.github.com/en/enterprise-server@3.11/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)||||||||✅|✅|✅|✅|✅|✅| 105 | |[Weekly scan with default setup](https://docs.github.com/en/enterprise-server@3.11/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)||||||||✅|✅|✅|✅|✅|✅| 106 | |[CodeQL supports custom model packs](https://codeql.github.com/docs/codeql-for-visual-studio-code/using-the-codeql-model-editor/)||||||||✅|✅|✅|✅|✅|✅| 107 | |[CodeQL supports Java code using Project Lombok ](https://docs.github.com/en/enterprise-server@3.11/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions)||||||||✅|✅|✅|✅|✅|✅| 108 | |[Default setup automatically includes all CodeQL supported languages](https://github.blog/changelog/2023-10-23-code-scanning-default-setup-automatically-includes-all-codeql-supported-languages/)|||||||||✅|✅|✅|✅|✅| 109 | |[CodeQL threat models for detecting relevant alerts](https://docs.github.com/en/enterprise-server@3.13/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models)||||||||||☑️|☑️|☑️|☑️| 110 | |[Code Scanning merge protection rulesets](https://docs.github.com/en/enterprise-server@3.14/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection)|||||||||||☑️|☑️|☑️| 111 | |[CodeQL threat models for default setup](https://docs.github.com/en/enterprise-server@3.14/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#including-local-sources-of-tainted-data-in-default-setup)|||||||||||☑️|☑️|☑️| 112 | |[CodeQL model packs for organization/repo](https://docs.github.com/en/enterprise-server@3.14/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)|||||||||||☑️|☑️|☑️| 113 | |[CodeQL can scan Java projects without a build](https://docs.github.com/en/enterprise-server@3.15/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)|||||||||||☑️|☑️|☑️| 114 | |[CodeQL can scan C# projects without a build](https://docs.github.com/en/enterprise-server@3.15/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes) ||||||||||||☑️|☑️| 115 | |[CodeQL dependency caching for advanced setup](https://docs.github.com/en/enterprise-server@3.16/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-dependency-caching-for-codeql) |||||||||||||✅| 116 | |[Zstandard archive for CodeQL tools](https://docs.github.com/en/enterprise-server@3.16/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli#1-download-the-codeql-cli-tar-archive) |||||||||||||✅| 117 | 118 | ## Supply-chain security 119 | 120 | #### Dependabot Alerts 121 | Dependabot alerts tell you that your code depends on a package that is insecure. 122 | * [Dependabot alerts documentation](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) 123 | * [Dependabot alerts API](https://docs.github.com/en/enterprise-server/rest/dependabot/alerts?apiVersion=2022-11-28) 124 | 125 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10 |3.11 |3.12|3.13|3.14|3.15|3.16| 126 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|----|----|----|----|----|----|-----| 127 | |[Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 128 | |[Go modules support](https://docs.github.com/en/enterprise-server/get-started/learning-about-github/github-language-support#core-languages-supported-by-github-features)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 129 | |[Poetry support](https://docs.github.com/en/enterprise-server/get-started/learning-about-github/github-language-support#core-languages-supported-by-github-features)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 130 | |[Cargo support](https://docs.github.com/en/enterprise-server/get-started/learning-about-github/github-language-support#core-languages-supported-by-github-features)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 131 | |[Reopen dismissed alerts](https://github.blog/changelog/2022-03-07-reopen-dismissed-dependabot-alerts/)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 132 | |[Dependabot alerts show vulnerable function calls](https://github.blog/2022-04-14-dependabot-alerts-now-surface-if-code-is-calling-vulnerability/)|||☑️|☑️|☑️|☑️|☑️|☑️|☑️|☑️|☑️|☑️|☑️| 133 | |[Dependabot Alert timeline](https://github.blog/changelog/2022-07-28-dependabot-alerts-timeline-of-events-on-the-alert-details-page/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 134 | |[Bulk Editing of Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 135 | |[Add comment when dismissing dependabot alert](https://github.blog/changelog/2022-08-22-dependabot-alerts-optional-dismissal-comment-2/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 136 | |[Dev Dependencies label](https://github.blog/2023-05-02-dependabot-relieves-alert-fatigue-from-npm-devdependencies/) ||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 137 | |[View Dependabot enablement status via org-level API](https://github.blog/changelog/2023-02-28-dependabot-alerts-enterprise-enablement-and-status-checking/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 138 | |[Receive alerts for vulnerable GitHub Actions](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 139 | |[Dependabot alert webhooks](https://github.blog/changelog/2022-10-06-new-dependabot-alerts-webhook/)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 140 | |[Dependabot alerts REST API endpoint for repository org and enterprise](https://docs.github.com/en/rest/dependabot/alerts?apiVersion=2022-11-28)|||||☑️|✅|✅|✅|✅|✅|✅|✅|✅| 141 | |[Export SBOM from dependency graph](https://docs.github.com/en/enterprise-server/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)||||||✅|✅|✅|✅|✅|✅|✅|✅| 142 | |[Dependabot can parse and update Gradle version catalogs in `settings.gradle`](https://docs.github.com/en/enterprise-server/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)||||||✅|✅|✅|✅|✅|✅|✅|✅| 143 | |[Dependabot has full support for pnpm](https://docs.github.com/en/enterprise-server@3.11/code-security/dependabot)||||||||✅|✅|✅|✅|✅|✅| 144 | |[Dependabot auto-triage rules](https://docs.github.com/en/enterprise-server@3.12/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules)|||||||||✅|✅|✅|✅|✅| 145 | |[Security advisories can use the new CVSS 4.0 schema to calculate a base vulnerability score](https://docs.github.com/en/enterprise-server@3.16/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-cvss-levels)|||||||||||||✅| 146 | |[Added Exploit Prediction Scoring System (EPSS) to advisories to show estimated probability that a vulnerability will be exploited over the next 30 days](https://docs.github.com/en/enterprise-server@3.16/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-epss-scores)|||||||||||||✅| 147 | 148 | 149 | #### Dependabot Updates 150 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10 |3.11 |3.12|3.13|3.14|3.15|3.16| 151 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|----|----|----|----|----|----|-----| 152 | |[Dependabot Updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)|☑️|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 153 | |Actions authors can automatically update dependencies within workflow files|||||✅|✅|✅|✅|✅|✅|✅|✅|✅| 154 | |Dart and Flutter (using Pub) support for updates|||||✅|✅|✅|✅|✅|✅|✅|✅|✅| 155 | |[Automatically pause pull request activity after 90 days of inactivity](https://docs.github.com/en/enterprise-server/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)||||||✅|✅|✅|✅|✅|✅|✅|✅| 156 | |[Grouped version updates](https://docs.github.com/en/enterprise-server@3.11/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups)|||||||✅|✅|✅|✅|✅|✅|✅| 157 | |[Open pull requests for Swift and Gradle dependencies](https://docs.github.com/en/enterprise-server@3.11/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)||||||||✅|✅|✅|✅|✅|✅| 158 | |[REST API displays enablement status for Dependabot updates](https://docs.github.com/en/enterprise-server@3.11/rest/repos/repos)||||||||✅|✅|✅|✅|✅|✅| 159 | |[Dependabot supports `devcontainer.json` files](https://docs.github.com/en/enterprise-server@3.13/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#dev-containers)||||||||||✅|✅|✅|✅| 160 | |[Viewing Dependabot job logs](https://docs.github.com/en/enterprise-server@3.12/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)|||||||||✅|✅|✅|✅|✅| 161 | |[Dependabot access to Cargo private registries](https://docs.github.com/en/enterprise-server@3.14/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot#about-configuring-private-registries-for-dependabot)|||||||||||✅|✅|✅| 162 | |Dependabot pauses scheduled jobs after 15 failures.|||||||||||✅|✅|✅| 163 | |[Dependabot grouped security updates](https://docs.github.com/en/enterprise-server@3.14/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates)|||||||||||✅|✅|✅| 164 | |[Private registry support for target-branch configuration](https://docs.github.com/en/enterprise-server@3.14/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)|||||||||||✅|✅|✅| 165 | |[Updates support pnpm workspace catalogs](https://github.blog/changelog/2025-02-04-dependabot-now-supports-pnpm-workspace-catalogs-ga/)|||||||||||||✅| 166 | |[Version updates support .NET SDK in global.json](https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#dependabot)|||||||||||||✅| 167 | 168 | #### Dependency Graph, Dependency Review and snapshot submission API 169 | Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. 170 | * [Dependency review docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review) 171 | * [Dependency review API docs](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) 172 | 173 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10 |3.11 |3.12|3.13|3.14|3.15|3.16| 174 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|-----|----|----|----|----|----|-----| 175 | |[Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 176 | |[Enforcement Action](https://github.blog/changelog/2022-04-06-github-action-for-dependency-review-enforcement/)|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 177 | |[Dependency Submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 178 | |[Dependency Review supports transitive dependencies](https://docs.github.com/en/enterprise-server@3.11/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together)||||||||✅|✅|✅|✅|✅|✅| 179 | |SBOM generated for a package now includes the package URL for more packages|||||||||||✅|✅|✅| 180 | 181 | ## Security Overview 182 | Security overview provides high-level summaries of the security status of an organization or enterprise and makes it easy to identify repositories that require intervention. 183 | * [Security Overview documentation](https://docs.github.com/en/enterprise-server/code-security/security-overview/about-security-overview) 184 | 185 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10| 3.11 |3.12|3.13|3.14|3.15|3.16| 186 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|-----|----|----|----|----|----|-----| 187 | |[Security Overview](https://docs.github.com/en/enterprise-server/code-security/security-overview/about-security-overview)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 188 | |Organization view|☑️|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 189 | |Enterprise view||☑️|☑️|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 190 | |Organization-level Code Scanning Alert View||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 191 | |Organization-level Dependabot Alert View||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 192 | |Enterprise-level view of Dependabot alerts|||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 193 | |Enterprise-level view of code scanning alerts||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 194 | |Enterprise-level view of secret scanning alerts||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 195 | |Coverage and Risk Security Overview pages|||||☑️|☑️|✅|✅|✅|✅|✅|✅|✅| 196 | |[Filter alerts by repo topic](https://docs.github.com/en/enterprise-server/code-security/security-overview/filtering-alerts-in-security-overview)||||||✅|✅|✅|✅|✅|✅|✅|✅| 197 | |[Filter alerts by team](https://docs.github.com/en/enterprise-server/code-security/security-overview/filtering-alerts-in-security-overview)||||||✅|✅|✅|✅|✅|✅|✅|✅| 198 | |[Enable GHAS features in security overview](https://docs.github.com/en/enterprise-server/code-security/security-overview/about-security-overview)||||||✅|✅|✅|✅|✅|✅|✅|✅| 199 | |[Enterprise-level security coverage and risk dashboards](https://docs.github.com/en/enterprise-server@3.10/code-security/security-overview/about-security-overview#about-security-overview-for-enterprises)|||||||✅|✅|✅|✅|✅|✅|✅| 200 | |[Enablement trends dashboard is available](https://docs.github.com/en/enterprise-server@3.13/code-security/security-overview/assessing-adoption-code-security#viewing-enablement-trends-for-an-organization-beta)||||||||||✅|✅|✅|✅| 201 | |[Enterprise level secret scanning metrics and enablement trend dashboards](https://docs.github.com/en/enterprise-server@3.14/code-security/security-overview/viewing-security-insights)|||||||||||✅|✅|✅| 202 | |[Security overview dashboard group by tool](https://docs.github.com/en/enterprise-server@3.14/code-security/security-overview/viewing-security-insights#viewing-the-security-overview-dashboard-for-your-organization)|||||||||||✅|✅|✅| 203 | |Security overview dashboard filter by security tool|||||||||||☑️|✅|✅| 204 | |[CodeQL pull request alerts view](https://docs.github.com/en/enterprise-server@3.15/code-security/security-overview/viewing-metrics-for-pull-request-alerts)||||||||||||✅|✅| 205 | |[Security overview dashboard adds SAST vulnerabilities summary table](https://docs.github.com/en/enterprise-server@3.16/code-security/security-overview/viewing-security-insights)|||||||||||||✅| 206 | |[Security overview dashboard adds Prevention metrics alongside Detection and Remediation metrics at both the organization and enterprise levels](https://github.blog/changelog/2024-09-19-enhanced-security-overview-dashboard-detection-remediation-and-prevention-at-the-forefront/)|||||||||||||✅| 207 | |[Export CSV data from the "CodeQL pull request alerts" view](https://docs.github.com/en/enterprise-server@3.16/code-security/security-overview/viewing-metrics-for-pull-request-alerts)|||||||||||||✅| 208 | |[Security overview dashboard accessibility enhancements](https://github.blog/changelog/2024-11-20-accessibility-improvements-for-security-overview/)|||||||||||||✅| 209 | 210 | 211 | ## Administration 212 | |Feature |3.4 |3.5 |3.6 |3.7 |3.8 |3.9 |3.10 |3.11 |3.12 |3.13|3.14|3.15|3.16| 213 | |------------------------------------------------------------|-----|-----|-----|-----|-----|-----|----|----|----|----|----|----|-----| 214 | |[Security Managers Role](https://docs.github.com/en/enterprise-server/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 215 | |[Manage Security Managers role via the API](https://docs.github.com/en/enterprise-server/rest/orgs/security-managers?apiVersion=2022-11-28)||||✅|✅|✅|✅|✅|✅|✅|✅|✅|✅| 216 | |[Licensing for committers only after the migration date](https://docs.github.com/en/enterprise-server@3.12/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security) |||||||||✅|✅|✅|✅|✅| 217 | |[Create and assign custom organization roles](https://docs.github.com/en/enterprise-server@3.14/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)|||||||||||✅|✅|✅| 218 | |[Enable at scale - security configurations](https://docs.github.com/en/enterprise-server@3.15/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)||||||||||||✅|✅| 219 | |[Enterprise-level security configurations](https://docs.github.com/en/enterprise-server@3.16/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale#about-enterprise-level-security-configurations)|||||||||||||✅| 220 | |[Security configurations for archived repositories](https://docs.github.com/en/enterprise-server@3.16/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)|||||||||||||✅| 221 | |[Advanced filtering for repository selection by security feature status](https://docs.github.com/en/enterprise-server@3.16/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/creating-security-configurations-for-your-organization)|||||||||||||✅| 222 | |[Security manager role can be assigned directly to individual users](https://docs.github.com/en/enterprise-server@3.16/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)|||||||||||||✅| 223 | 224 | # Dependencies 225 | This section calls out the dependencies required to enable GitHub Advanced Security on GitHub Enterprise Server. 226 | 227 | | Feature | GHAS license
required? | GitHub Actions
required? | GitHub Connect
required? | Documentation | Notes | 228 | |---|---|---|---|---|---| 229 | | Security Overview

DescriptionKnow what needs attention throughout the entire SDLC
| No * | No | No | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/security-overview/about-the-security-overview) | * Features not needing a GHAS license will still show up | 230 | | Dependency Graph

DescriptionParse manifest and lock files in your repository
| No | No | No | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise) | Enabling this feature will reload some services on the appliance. | 231 | | Dependabot Alerts

DescriptionKnow which of :point_up: have open CVEs
| No | No | Yes | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) | [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise) dependency and data transmission details | 232 | | Dependabot Security Updates

DescriptionOne-click "enable all" to send PRs updating :point_up:
| No | Yes | Yes | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) | Requires a runner with Docker and internet connectivity to open PRs ([specs](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates))

As of GHES 3.8, will not require internet connectivity _if_ private registry is configured | 233 | | Dependabot Updates

DescriptionAllows Dependabot to process optional updates using `~/.github/dependabot.yml` file
| No | Yes | Yes | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates) | Same requirements as :point_up: - this just allows the same "non-security" updates using the same flexible configuration file as GitHub.com | 234 | | Dependency Review

DescriptionInspect dependencies at pull request, blocking merges that add more security vulnerabilities
| Yes | Yes | Yes | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-dependency-review-for-your-appliance) | Does not require the build to be moved into GitHub Actions, but needs a runner to inspect manifests.

Dependency "snapshots" submitted through the dependency submission API for non-default branches are not supported on GitHub Enterprise Server.

Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information. | 235 | | CodeQL

DescriptionHighly accurate static analysis tool, flexible and extensible query language
| Yes | No * | No * | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql) | * CodeQL can be installed in your existing build system ([directions](https://docs.github.com/en/enterprise-server@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)) and/or be used on GitHub Actions with self-hosted runners ([directions](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#running-code-scanning-using-github-actions))

* GitHub Connect is not required, but it makes keeping the CodeQL queries up-to-date easier.

* [codeql-action-sync-tool](https://github.com/github/codeql-action-sync-tool) is the offline updater without Connect.

* Code Scanning default setup requires runners with the `code-scanning` label applied. | 236 | | Upload SARIF files from other tools

DescriptionView security results from other tools using SARIF file uploads
| Yes | No | No | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github) | Many other tools support the SARIF interchange format. This feature provides a single pane of glass into the entire codebase. | 237 | | Secret scanning

DescriptionLook at the present and all history for secrets, including partner patterns and custom regex
| Yes | No | No | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/secret-scanning) | | 238 | | Push protection for secrets

DescriptionBlock commits containing partner patterns and custom regex from GitHub, preventing compromise
| Yes | No | No | [Feature Docs](https://docs.github.com/en/enterprise-server@latest/code-security/secret-scanning/protecting-pushes-with-secret-scanning) | Bare metal hypervisors may require an additional CPU flag, as outlined [here](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance) | 239 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Advanced Security Material 2 | A place for resources to help you understand and use GitHub Advanced Security (GHAS). Browse the directories in this repository for resources and documentation. To help you get started with GHAS, we've provided some introductory documentation in this file. 3 | 4 | ## Get started with GitHub Advanced Security 5 | The following list of links are great resources to get you started on learning how to use, deploy, and manage GitHub Advanced Security in your environment. 6 | 7 | New to GitHub Advanced Security? Start with [GitHub security features](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/github-security-features) :+1: 8 | 9 | ### Code Scanning 10 | - [About GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) 11 | - [Configuring Code Scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning) 12 | - [Integrating other tools with GHAS](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning) 13 | 14 | ### CodeQL 15 | - [Meet CodeQL](https://codeql.github.com/) 16 | - [CodeQL Documentation](https://codeql.github.com/docs/) 17 | - [CWE Query Mapping Documentation](https://codeql.github.com/codeql-query-help/codeql-cwe-coverage) 18 | - [Running additional queries](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#running-additional-queries) 19 | - [CodeQL CLI Docs](https://codeql.github.com/docs/codeql-cli/getting-started-with-the-codeql-cli) 20 | - [Running CodeQL in your CI System](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system) 21 | 22 | ### Secret Scanning 23 | - [About Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) 24 | - [Supported secret patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-patterns) 25 | - [Defining custom secret patterns](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning) 26 | 27 | ### Supply Chain Security (Dependabot) 28 | - [About](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) 29 | - [Dependency Graph](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) 30 | - [Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) 31 | - [Dependabot Security Updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) 32 | - [GitHub Advisory Database](https://github.com/advisories) 33 | - [Dependabot Quickstart Guide](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) 34 | 35 | ### Security Overview 36 | - [About Security Overview](https://docs.github.com/en/code-security/security-overview/about-the-security-overview) 37 | - [Managing alerts in your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository) 38 | 39 | ### Other Resources 40 | - [SARIF Tutorials](https://github.com/microsoft/sarif-tutorials) 41 | - [GitHub Advanced Security Learning Path](https://docs.microsoft.com/en-us/users/githubtraining/collections/rqymc6yw8q5rey) 42 | - [Adopting and scaling GitHub Advanced Security in your company](https://assets.ctfassets.net/wfutmusr1t3h/7rbooz6hi5leHDyvjD3FCy/4cb66560d58afad3f58197f7d4f37f23/Whitepaper-Scaling-GHAS-in-an-Enterprise.pdf) 43 | - [The Complete Guide to Developer-first Security](https://resources.github.com/developer-first-application-security/) 44 | - [GitHub Checkout - Code Scanning (video)](https://www.youtube.com/watch?v=z0wvGf3O69E) 45 | - [GitHub Checkout - Secret Scanning (video)](https://www.youtube.com/watch?v=aoL7pDrXt74) 46 | - [GitHub Checkout - Viewing and Managing your Dependencies (video)](https://www.youtube.com/watch?v=gNd_TGdZ1xc) 47 | - [GitHub Well-architected - Application security](https://wellarchitected.github.com/library/application-security/) 48 | -------------------------------------------------------------------------------- /advanced-security-material.md: -------------------------------------------------------------------------------- 1 | #### Advanced Security Training: 2 | - [ ] https://github.com/ghas-bootcamp/ghas-bootcamp 3 | - This is a public template, so you can create this repository within your existing organization. Make sure it is private, so that you can enable secret scanning and code scanning in the repository settings. This assumes you have a GitHub Advanced Security license. 4 | - You can fork this to your personal account, but secret scanning is automatically enabled for public repositories and as far as code scanning goes it can only be enabled on public user-owned repositories. 5 | 6 | #### Universe 2020 Workshops: 7 | - [ ] https://github.com/githubuniverseworkshops/workshop-automate-your-workflow 8 | - [ ] https://github.com/githubuniverseworkshops/devsecops-automation-with-ghas 9 | - [ ] https://github.com/githubuniverseworkshops/codeql 10 | 11 | #### Satellite 2020 CodeQL Workshops: 12 | - [ ] Java: https://www.youtube.com/watch?v=nvCd0Ee4FgE 13 | - [ ] Javascript: https://www.youtube.com/watch?v=pYzfGaLTqC0 14 | 15 | #### CodeQL Resources: 16 | - [ ] QL Tutorials: https://codeql.github.com/docs/writing-codeql-queries/ql-tutorials/ 17 | - [ ] CodeQL for VS Code: https://codeql.github.com/docs/codeql-for-visual-studio-code/ 18 | - [ ] VS Code starter workspace to use with the CodeQL VS extension: https://github.com/github/vscode-codeql-starter 19 | - [ ] CodeQL CTF: https://securitylab.github.com/ctf 20 | - [ ] Read about contributing to CodeQL Queries: https://github.com/github/codeql/blob/main/CONTRIBUTING.md 21 | 22 | #### Review Documentation: 23 | - [ ] [Actions](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions) 24 | - [ ] https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/introduction-to-github-actions 25 | - [ ] https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet 26 | - [ ] [About Code Scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) 27 | - [ ] [CodeQL CLI Binaries](https://github.com/github/codeql-cli-binaries/releases) 28 | - [ ] [Getting started with CodeQL CLI](https://codeql.github.com/docs/codeql-cli/getting-started-with-the-codeql-cli/) 29 | - [ ] [Examples of using the CodeQL runner and CodeQL CLI](https://github.com/cmboling/ghas-test-workflows/tree/main/.github/workflows) 30 | - [ ] [Other CI/CD pipeline examples](https://github.com/kllund/sample-pipeline-files) 31 | - [ ] [About Secret Scanning](https://docs.github.com/en/github/administering-a-repository/about-secret-scanning) 32 | - [ ] [About Dependency Scanning](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) 33 | - [ ] More on Code Scanning: 34 | - [ ] Configure code scanning: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning 35 | - [ ] Configuring builds for Compiled Languages: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages 36 | - [ ] Running additional queries: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#running-additional-queries 37 | - [ ] Built-in Queries: https://github.com/github/codeql, https://github.com/github/codeql-go 38 | - For example, js query suites: https://github.com/github/codeql/tree/master/javascript/ql/src/codeql-suites 39 | - [ ] Troubleshooting code scanning workflow: 40 | https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow 41 | 42 | #### Using the CodeQL CLI in CI/CD: 43 | - [ ] How to use the CodeQL CLI: https://github.com/advanced-security/javascript-codeql-cli-test-workflow/blob/main/.github/workflows/codeql-analysis.yml 44 | - [ ] Example Azure workflows using CLI: https://github.com/cmboling/ghas-test-workflows/tree/main/.github/workflows/azure-workflows 45 | - [ ] Other Examples using CodeQL Runner/CLI: https://github.com/kllund/sample-pipeline-files 46 | - [ ] Jenkins + CodeQL CLI: https://github.com/kllund/sample-pipeline-files/blob/main/Jenkinsfile-template-with-codeql-cli-bundle 47 | 48 | #### OSS Issue Tracking 49 | - [ ] GitHub Code Scanning + Jira: https://github.com/github/ghas-jira-integration 50 | -------------------------------------------------------------------------------- /advanced-security/training-agenda.md: -------------------------------------------------------------------------------- 1 | We will go over the following topics: 2 | 3 | ### Agenda 4 | - [ ] Goals 5 | - [ ] Sources of Vulnerabilities 6 | - [ ] Application Security Scenarios 7 | - [ ] What is Advanced Security? 8 | - [ ] Current Capabilities 9 | - [ ] What is Secret Scanning? 10 | - [ ] What is Dependabot? 11 | - [ ] What is Code Scanning? 12 | - [ ] What is CodeQL? 13 | - [ ] Roadmap Items for Advanced Security 14 | - [ ] Questions? 15 | 16 | ##### Secret scanning exercises 17 | - [ ] Enabling secret scanning 18 | - [ ] Viewing and managing results 19 | - [ ] Excluding files from secret scanning 20 | - [ ] Custom patterns for secret scanning 21 | - [ ] Managing access to alerts 22 | 23 | ##### Dependabot exercises 24 | - [ ] Enabling Dependabot alerts 25 | - [ ] Reviewing the dependency graph 26 | - [ ] Viewing and managing results 27 | - [ ] Enabling Dependabot security updates 28 | - [ ] Configuring Dependabot security updates 29 | - [ ] Working with Dependency Review 30 | 31 | ##### Code scanning exercises 32 | - [ ] Enabling code scanning 33 | - [ ] Reviewing any failed analysis job 34 | - [ ] Using context and expressions to modify build 35 | - [ ] Reviewing and managing results 36 | - [ ] Triaging a result in a PR 37 | - [ ] Customizing CodeQL Configuration 38 | - [ ] Adding your own code scanning suite to exclude rules 39 | - Briefly demoed in another repository 40 | - [ ] Understanding how to add a custom query 41 | - Briefly demoed in another repository 42 | 43 | ### Other information 44 | Link to demo repository: https://github.com/ghas-bootcamp/ghas-bootcamp 45 | 46 | -------------------------------------------------------------------------------- /code-scanning-guides/integrations/code-scanning-third-party-integrations.md: -------------------------------------------------------------------------------- 1 | 2 | # Code Scanning 3rd Party Integrations List 3 | 8 | 9 | ## Public Projects 10 | 11 | | Name | Technologies | Tools | 12 | | :------------------------------------------------------------------------------------------------- | :------------------ | :------------------------------ | 13 | | [Android (AndroGoat)](https://github.com/octodemo/advance-security-mobile-android/) | `Kotlin` | `MobSF` | 14 | | [iOS (OWASP/iGoat-Swift)](https://github.com/octodemo/advance-security-mobile-ios) | `Swift` | `MobSF` | 15 | | [JavaScript (bkimminich/juice-shop)](https://github.com/bkimminich/juice-shop) | `JavaScript` | `CodeQL` | 16 | | [PHP (OWASP/OWASPWebGoatPHP)](https://github.com/octodemo/advance-security-php) | `PHP`, `JavaScript` | `CodeQL`, `SL Scan (ShiftLeft)` | 17 | | [IaC / Terraform (bridgecrewio/terragoat)](https://github.com/octodemo/advance-security-terraform) | `Terraform` | `Bridgecrew (Checkov)`, `TFSec` | 18 | 19 | 20 | 21 | 24 | 25 | ## Code Scanning - Languages 26 | 27 | ### ABAP 28 | 29 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 30 | - Commercial Requirement for Private Repositories 31 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 32 | - Commercial Requirement for Private Repositories 33 | 34 | ### ASP 35 | 36 | - [Checkmarx](https://checkmarx.com) 37 | - Commercial Requirement for Private Repositories 38 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 39 | - Commercial Requirement for Private Repositories 40 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 41 | - Commercial Requirement for Private Repositories 42 | - [Veracode](https://veracode.com/) 43 | - Commercial Requirement for Private Repositories 44 | 45 | ### ASP.NET 46 | 47 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 48 | - Commercial Requirement for Private Repositories 49 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 50 | - Commercial Requirement for Private Repositories 51 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 52 | - Commercial Requirement for Private Repositories 53 | - [Veracode](https://veracode.com/) 54 | - Commercial Requirement for Private Repositories 55 | 56 | ### ActionScript 57 | 58 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 59 | - Commercial Requirement for Private Repositories 60 | 61 | ### Apache Velocity 62 | 63 | - [PMD](https://github.com/pmd/pmd) 64 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 65 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 66 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 67 | 68 | ### Apex 69 | 70 | - [Checkmarx](https://checkmarx.com) 71 | - Commercial Requirement for Private Repositories 72 | - [Clayton](https://www.getclayton.com/) 73 | - [Github App CodeScanning Integration](https://help.clayton.io/en/articles/4261768-clayton-github-application) 74 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 75 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 76 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 77 | - Commercial Requirement for Private Repositories 78 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 79 | - Commercial Requirement for Private Repositories 80 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 81 | - Commercial Requirement for Private Repositories 82 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 83 | - Commercial Requirement for Private Repositories 84 | - [PMD](https://github.com/pmd/pmd) 85 | - [Apex Example](https://github.com/Moose0621/apex-recipes/blob/main/.github/workflows/pmd-apex.yml) 86 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 87 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 88 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 89 | - [Veracode](https://veracode.com/) 90 | - Commercial Requirement for Private Repositories 91 | 92 | ### Bash 93 | 94 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 95 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 96 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 97 | 98 | ### C 99 | 100 | - [Checkmarx](https://checkmarx.com) 101 | - Commercial Requirement for Private Repositories 102 | - [Clang Analyzer](https://clang-analyzer.llvm.org/) 103 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 104 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 105 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 106 | - Commercial Requirement for Private Repositories 107 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 108 | - Commercial Requirement for Private Repositories 109 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 110 | - [Flawfinder](https://github.com/david-a-wheeler/flawfinder) 111 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 112 | - Commercial Requirement for Private Repositories 113 | - [PREfast](https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis?view=msvc-160) by Microsoft 114 | - Code Quality tool, not security focused 115 | - [Veracode](https://veracode.com/) 116 | - Commercial Requirement for Private Repositories 117 | 118 | ### CPP 119 | 120 | - [Checkmarx](https://checkmarx.com) 121 | - Commercial Requirement for Private Repositories 122 | - [Clang Analyzer](https://clang-analyzer.llvm.org/) 123 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 124 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 125 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 126 | - Commercial Requirement for Private Repositories 127 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 128 | - Commercial Requirement for Private Repositories 129 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 130 | - [Flawfinder](https://github.com/david-a-wheeler/flawfinder) 131 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 132 | - Commercial Requirement for Private Repositories 133 | - [PREfast](https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis?view=msvc-160) by Microsoft 134 | - Code Quality tool, not security focused 135 | - [Veracode](https://veracode.com/) 136 | - Commercial Requirement for Private Repositories 137 | 138 | ### CSharp 139 | 140 | - [Checkmarx](https://checkmarx.com) 141 | - Commercial Requirement for Private Repositories 142 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 143 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 144 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 145 | - Commercial Requirement for Private Repositories 146 | - [SecurityCodeScan](https://security-code-scan.github.io/) 147 | - [Workflow Example](https://github.com/marketplace/actions/securitycodescan) 148 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 149 | - Commercial Requirement for Private Repositories 150 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 151 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 152 | - Commercial Requirement for Private Repositories 153 | - [Puma Scan | Server Edition](https://pumasecurity.io/server-edition/) by Puma Security 154 | - Commercial Requirement ([workflow example](https://github.com/pumasecurity/puma-prey/blob/6f87f3022c6976ede4145e0eccd830bfb3f4688f/.github/workflows/main.yaml#L45C1-L57C47)) 155 | - [Roslyn](https://github.com/dotnet/roslyn-analyzers) by Microsoft 156 | - [Veracode](https://veracode.com/) 157 | - Commercial Requirement for Private Repositories 158 | 159 | ### CUDA 160 | 161 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 162 | - Commercial Requirement for Private Repositories 163 | 164 | ### Classic 165 | 166 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 167 | - Commercial Requirement for Private Repositories 168 | 169 | ### Cobol 170 | 171 | - [Checkmarx](https://checkmarx.com) 172 | - Commercial Requirement for Private Repositories 173 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 174 | - Commercial Requirement for Private Repositories 175 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 176 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 177 | - Commercial Requirement for Private Repositories 178 | - [Veracode](https://veracode.com/) 179 | - Commercial Requirement for Private Repositories 180 | 181 | ### CoffeeScript 182 | 183 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 184 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 185 | 186 | ### ColdFusion 187 | 188 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 189 | - Commercial Requirement for Private Repositories 190 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 191 | - Commercial Requirement for Private Repositories 192 | - [Veracode](https://veracode.com/) 193 | - Commercial Requirement for Private Repositories 194 | 195 | ### Crystal 196 | 197 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 198 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 199 | 200 | ### DART 201 | - [Dart/Flutter analyzer to SARIF](https://github.com/advanced-security/dart-analyzer-sarif) 202 | - [Horusec Dart | Horusec](https://docs.horusec.io/docs/cli/analysis-tools/open-source-horusec-engine/horusec-dart/) 203 | - GitHub Action ([Installation | Horusec](https://docs.horusec.io/docs/cli/installation/#github-actions)) 204 | - [Workflow Sample](https://github.com/octodemo/flutter-samples/blob/main/.github/workflows/horusec.yml) 205 | 206 | ### Elixir 207 | - [credo](https://github.com/rrrene/credo) 208 | - available as a [starter-workflow](https://github.com/actions/starter-workflows/blob/main/code-scanning/credo.yml) 209 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 210 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 211 | - [Sobelow](https://github.com/marketplace/actions/sobelow) - Pheonix Framework but has unofficial partial support for Elixir ( warns that router isnt detected) 212 | 213 | ### Fortran 214 | 215 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 216 | - Commercial Requirement for Private Repositories 217 | 218 | ### Go 219 | 220 | - [Checkmarx](https://checkmarx.com) 221 | - Commercial Requirement for Private Repositories 222 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 223 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 224 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 225 | - Commercial Requirement for Private Repositories 226 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 227 | - Commercial Requirement for Private Repositories 228 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 229 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 230 | - Commercial Requirement for Private Repositories 231 | - [GoSec](https://github.com/securego/gosec) 232 | - [Semgrep](https://semgrep.dev/) 233 | - Commercial Requirement for Private Repositories 234 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 235 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 236 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 237 | - [Veracode](https://veracode.com/) 238 | - Commercial Requirement for Private Repositories 239 | 240 | ### Gosu 241 | 242 | - [CodeNarc](https://codenarc.org/) 243 | - validation [plugin for InsuranceSuite ](https://marketplace.guidewire.com/s/product/gosu-codenarc-validation-tool-for-insurancesuite-904/01t3n00000GfLP1AAN?language=en_US) + SARIF export is possible with [npm-groovy-lint](https://github.com/nvuillam/npm-groovy-lint) 244 | 245 | ### Groovy 246 | 247 | - [Checkmarx](https://checkmarx.com) 248 | - Commercial Requirement for Private Repositories 249 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 250 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 251 | - [CodeNarc](https://codenarc.org/) 252 | - security plugin + SARIF export is possible with npm-groovy-lint 253 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 254 | - Commercial Requirement for Private Repositories 255 | - [Veracode](https://veracode.com/) 256 | - Commercial Requirement for Private Repositories 257 | 258 | ### Ionic 259 | 260 | - [Veracode](https://veracode.com/) 261 | - Commercial Requirement for Private Repositories 262 | 263 | ### JSP 264 | 265 | - [Checkmarx](https://checkmarx.com) 266 | - Commercial Requirement for Private Repositories 267 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 268 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 269 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 270 | - Commercial Requirement for Private Repositories 271 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 272 | - Commercial Requirement for Private Repositories 273 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 274 | - Commercial Requirement for Private Repositories 275 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 276 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 277 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 278 | 279 | ### Java 280 | 281 | - [Checkmarx](https://checkmarx.com) 282 | - Commercial Requirement for Private Repositories 283 | - [Checkstyle](https://checkstyle.sourceforge.io/) 284 | - Code Quality tool, not security focused 285 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 286 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 287 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 288 | - Commercial Requirement for Private Repositories 289 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 290 | - Commercial Requirement for Private Repositories 291 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 292 | - [SpotBugs with FindSecBugs](https://github.com/marketplace/actions/spotbugs-with-findsecbugs) 293 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 294 | - Commercial Requirement for Private Repositories 295 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 296 | - [PMD](https://github.com/pmd/pmd) 297 | - [Semgrep](https://semgrep.dev/) 298 | - Commercial Requirement for Private Repositories 299 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 300 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 301 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 302 | - [SpotBugs](https://github.com/spotbugs/spotbugs) 303 | - [Veracode](https://veracode.com/) 304 | - Commercial Requirement for Private Repositories 305 | 306 | ### JavaScript 307 | 308 | - [Checkmarx](https://checkmarx.com) 309 | - Commercial Requirement for Private Repositories 310 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 311 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 312 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 313 | - Commercial Requirement for Private Repositories 314 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 315 | - Commercial Requirement for Private Repositories 316 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 317 | - Commercial Requirement for Private Repositories 318 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 319 | - [ESLint (OSSAR)](https://github.com/github/ossar-action) 320 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 321 | - Commercial Requirement for Private Repositories 322 | - [njsscan](https://github.com/ajinabraham/njsscan) 323 | - [PMD](https://github.com/pmd/pmd) 324 | - [Semgrep](https://semgrep.dev/) 325 | - Commercial Requirement for Private Repositories 326 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 327 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 328 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 329 | - [Veracode](https://veracode.com/) 330 | - Commercial Requirement for Private Repositories 331 | 332 | ### Kotlin 333 | 334 | - [Checkmarx](https://checkmarx.com) 335 | - Commercial Requirement for Private Repositories 336 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 337 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 338 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 339 | - Commercial Requirement for Private Repositories 340 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 341 | - Commercial Requirement for Private Repositories 342 | - [Detekt](https://github.com/detekt/detekt) 343 | - Code Quality tool, not security focused 344 | - [Kotlin Example](https://github.com/octodemo/KotlinGoat/blob/master/.github/workflows/detekt-analysis.yml) 345 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 346 | - Commercial Requirement for Private Repositories 347 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 348 | - [Veracode](https://veracode.com/) 349 | - Commercial Requirement for Private Repositories 350 | 351 | ### Less 352 | 353 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 354 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 355 | 356 | ### Lightning (Aura and LWC) 357 | 358 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 359 | - Commercial Requirement for Private Repositories 360 | 361 | ### MXML (Flex) 362 | 363 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 364 | - Commercial Requirement for Private Repositories 365 | 366 | ### Modelica 367 | 368 | - [PMD](https://github.com/pmd/pmd) 369 | 370 | ### Objective C 371 | 372 | - [Checkmarx](https://checkmarx.com) 373 | - Commercial Requirement for Private Repositories 374 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 375 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 376 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 377 | - Commercial Requirement for Private Repositories 378 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 379 | - Commercial Requirement for Private Repositories 380 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 381 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 382 | - Commercial Requirement for Private Repositories 383 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 384 | 385 | ### PHP 386 | 387 | - [Checkmarx](https://checkmarx.com) 388 | - Commercial Requirement for Private Repositories 389 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 390 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 391 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 392 | - Commercial Requirement for Private Repositories 393 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 394 | - Commercial Requirement for Private Repositories 395 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 396 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 397 | - Commercial Requirement for Private Repositories 398 | - [phpmd](https://github.com/actions/starter-workflows/blob/main/code-scanning/phpmd.yml) 399 | - [PHP Tool support](https://github.com/shivammathur/setup-php) 400 | - [psalm](https://github.com/psalm/psalm-github-security-scan) 401 | - [Php Example](https://github.com/psalm/psalm-github-security-scan#psalm-github-security-scan) 402 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 403 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 404 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 405 | - [Php Example](https://github.com/octodemo/advance-security-php) 406 | - [Veracode](https://veracode.com/) 407 | - Commercial Requirement for Private Repositories 408 | 409 | ### PL/SQL 410 | 411 | - [Checkmarx](https://checkmarx.com) 412 | - Commercial Requirement for Private Repositories 413 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 414 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 415 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 416 | - Commercial Requirement for Private Repositories 417 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 418 | - Commercial Requirement for Private Repositories 419 | - [PMD](https://github.com/pmd/pmd) 420 | - only looks for code quality and best practices issues and doesn't look for injection (the main security issue with stored procedures). 421 | - [Pl/sql Example](https://github.com/Moose0621/sql-project/blob/master/.github/workflows/pmd-plsql.yml) 422 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 423 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 424 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 425 | - [Veracode](https://veracode.com/) 426 | - Commercial Requirement for Private Repositories 427 | 428 | ### Perl 429 | 430 | - [Checkmarx](https://checkmarx.com) 431 | - Commercial Requirement for Private Repositories 432 | - [Veracode](https://veracode.com/) 433 | - Commercial Requirement for Private Repositories 434 | 435 | ### PhoneGap/Cordova 436 | 437 | - [Veracode](https://veracode.com/) 438 | - Commercial Requirement for Private Repositories 439 | 440 | ### PostgreSQL 441 | 442 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 443 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 444 | 445 | ### PowerShell 446 | 447 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 448 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 449 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 450 | - [PSScriptAnalyzer](https://github.com/PowerShell/PSScriptAnalyzer) 451 | - [Powershell Example](https://github.com/microsoft/psscriptanalyzer-action/blob/main/workflow.yml) 452 | 453 | ### Python 454 | 455 | - [Bandit](https://github.com/shundor/python-bandit-scan) 456 | - [Bandit (OSSAR)](https://github.com/github/ossar-action) 457 | - [Checkmarx](https://checkmarx.com) 458 | - Commercial Requirement for Private Repositories 459 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 460 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 461 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 462 | - Commercial Requirement for Private Repositories 463 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 464 | - Commercial Requirement for Private Repositories 465 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 466 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 467 | - Commercial Requirement for Private Repositories 468 | - [Python linting Code Scanning Action](https://github.com/marketplace/actions/python-lint-code-scanning-action) by GitHub Field Services 469 | - Wraps FOSS linters, type checkers 470 | - [Semgrep](https://semgrep.dev/) 471 | - Commercial Requirement for Private Repositories 472 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 473 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 474 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 475 | - [Veracode](https://veracode.com/) 476 | - Commercial Requirement for Private Repositories 477 | 478 | ### Ruby 479 | 480 | - [Checkmarx](https://checkmarx.com) 481 | - Commercial Requirement for Private Repositories 482 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 483 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 484 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 485 | - Commercial Requirement for Private Repositories 486 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 487 | - Commercial Requirement for Private Repositories 488 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 489 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 490 | - Commercial Requirement for Private Repositories 491 | - [Rubocop](https://github.com/arthurnn/code-scanning-rubocop) 492 | - [Ruby Example](https://github.com/arthurnn/code-scanning-rubocop#action-installation) 493 | - [Semgrep](https://semgrep.dev/) 494 | - Commercial Requirement for Private Repositories 495 | - [Veracode](https://veracode.com/) 496 | - Commercial Requirement for Private Repositories 497 | 498 | ### Rust 499 | - [Clippy](https://github.com/rust-lang/rust-clippy) + [Clippy SARIF](https://github.com/psastras/sarif-rs/tree/main/clippy-sarif#example-1) 500 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 501 | - [Semgrep](https://semgrep.dev/) 502 | - Commercial Requirement for Private Repositories 503 | 504 | ### SQL 505 | 506 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 507 | 508 | ### Salesforce Metadata 509 | 510 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 511 | - Commercial Requirement for Private Repositories 512 | 513 | ### Scala 514 | 515 | - [Checkmarx](https://checkmarx.com) 516 | - Commercial Requirement for Private Repositories 517 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 518 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 519 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 520 | - Commercial Requirement for Private Repositories 521 | - [Semgrep](https://semgrep.dev/) 522 | - Commercial Requirement for Private Repositories 523 | - [SpotBugs with FindSecBugs](https://github.com/marketplace/actions/spotbugs-with-findsecbugs) 524 | - [Veracode](https://veracode.com/) 525 | - Commercial Requirement for Private Repositories 526 | 527 | ### Shell 528 | 529 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 530 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 531 | 532 | ### Swift 533 | 534 | - [Checkmarx](https://checkmarx.com) 535 | - Commercial Requirement for Private Repositories 536 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 537 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 538 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 539 | - Commercial Requirement for Private Repositories 540 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 541 | - Commercial Requirement for Private Repositories 542 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 543 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 544 | - Commercial Requirement for Private Repositories 545 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 546 | 547 | ### T-SQL 548 | 549 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 550 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 551 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 552 | - Commercial Requirement for Private Repositories 553 | - [Veracode](https://veracode.com/) 554 | - Commercial Requirement for Private Repositories 555 | 556 | ### Titanium 557 | 558 | - [Veracode](https://veracode.com/) 559 | - Commercial Requirement for Private Repositories 560 | 561 | ### TypeScript 562 | 563 | - [Checkmarx](https://checkmarx.com) 564 | - Commercial Requirement for Private Repositories 565 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 566 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 567 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 568 | - Commercial Requirement for Private Repositories 569 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 570 | - Commercial Requirement for Private Repositories 571 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 572 | - [Semgrep](https://semgrep.dev/) 573 | - Commercial Requirement for Private Repositories 574 | - [Veracode](https://veracode.com/) 575 | - Commercial Requirement for Private Repositories 576 | 577 | ### VB.NET 578 | 579 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 580 | - Commercial Requirement for Private Repositories 581 | - [SecurityCodeScan](https://security-code-scan.github.io/) 582 | - [Workflow Example](https://github.com/marketplace/actions/securitycodescan) 583 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 584 | - Commercial Requirement for Private Repositories 585 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 586 | - Commercial Requirement for Private Repositories 587 | - [Veracode](https://veracode.com/) 588 | - Commercial Requirement for Private Repositories 589 | 590 | ### VBScript 591 | 592 | - [Checkmarx](https://checkmarx.com) 593 | - Commercial Requirement for Private Repositories 594 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 595 | - Commercial Requirement for Private Repositories 596 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 597 | - Commercial Requirement for Private Repositories 598 | 599 | ### Velocity 600 | 601 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 602 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 603 | 604 | ### Visual Basic 605 | 606 | - [Checkmarx](https://checkmarx.com) 607 | - Commercial Requirement for Private Repositories 608 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 609 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 610 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 611 | - Commercial Requirement for Private Repositories 612 | - [DevSkim](https://github.com/microsoft/DevSkim) by Microsoft 613 | - [Fortify](https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer) by Micro Focus 614 | - Commercial Requirement for Private Repositories 615 | - [Roslyn](https://github.com/dotnet/roslyn-analyzers) by Microsoft 616 | - [Veracode](https://veracode.com/) 617 | - Commercial Requirement for Private Repositories 618 | 619 | ### Visualforce 620 | 621 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 622 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 623 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 624 | - Commercial Requirement for Private Repositories 625 | - [PMD](https://github.com/pmd/pmd) 626 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 627 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 628 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 629 | 630 | ### Xamarin 631 | 632 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 633 | - Commercial Requirement for Private Repositories 634 | - [Veracode](https://veracode.com/) 635 | - Commercial Requirement for Private Repositories 636 | 637 | 638 | ## Code Scanning - Technologies 639 | 640 | 641 | ### Ansible 642 | 643 | - [KICS](https://github.com/Checkmarx/kics) by Checkmarx 644 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 645 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 646 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 647 | 648 | ### Azure Resource Manager Templates 649 | 650 | - [Bridgecrew (Checkov)](https://github.com/bridgecrewio/checkov) by Bridgecrew 651 | - Commercial Requirement for Private Repositories 652 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 653 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 654 | 655 | ### Binaries Analysis 656 | 657 | - [BinSkim (OSSAR)](https://github.com/github/ossar-action) 658 | 659 | ### CloudFormation 660 | 661 | - [Bridgecrew (Checkov)](https://github.com/bridgecrewio/checkov) by Bridgecrew 662 | - Commercial Requirement for Private Repositories 663 | - [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) 664 | - [cfn-nag](https://github.com/stelligent/cfn_nag) 665 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 666 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 667 | - [KICS](https://github.com/Checkmarx/kics) by Checkmarx 668 | - [Prisma Cloud IaC Scan](https://github.com/prisma-cloud-shiftleft/iac-scan-action) by Palo Alto Prisma Cloud 669 | - Commercial Requirement for Private Repositories 670 | 671 | ### Docker 672 | 673 | - [Anchore](https://github.com/anchore/scan-action) 674 | - [Bridgecrew (Checkov)](https://github.com/bridgecrewio/checkov) by Bridgecrew 675 | - Commercial Requirement for Private Repositories 676 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 677 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 678 | - [KICS](https://github.com/Checkmarx/kics) by Checkmarx 679 | - [Snyk Container](https://github.com/snyk/actions/tree/master/docker) by Snyk 680 | - Commercial Requirement for Private Repositories 681 | - [Trivy](https://github.com/aquasecurity/trivy-action) by Aqua Security 682 | 683 | ### Dynamic Analysis 684 | 685 | - [OWASP Zap](https://owasp.org/www-project-zap/) 686 | - [Workflow Example](https://github.com/octodemo/dast-test/blob/main/.github/workflows/zap.yml) 687 | - [OWASP ZAP to GHAS](https://github.com/marketplace/actions/sebass-van-boxel) (OSS!) 688 | - [StackHawk HawkScan](https://docs.stackhawk.com/hawkscan/) by StackHawk 689 | - Commercial Requirement for Private Repositories 690 | - [SOOS](https://github.com/marketplace/actions/soos-dast) 691 | 692 | ### Kubernetes 693 | 694 | - [Accurics](https://github.com/accurics/accurics-action) 695 | - Commercial Requirement for Private Repositories 696 | - [Bridgecrew (Checkov)](https://github.com/bridgecrewio/checkov) by Bridgecrew 697 | - Commercial Requirement for Private Repositories 698 | - [Codacy](https://github.com/codacy/codacy-analysis-cli-action) 699 | - [Open Source Tool Aggregator](https://docs.codacy.com/getting-started/supported-languages-and-tools/) 700 | - [KICS](https://github.com/Checkmarx/kics) by Checkmarx 701 | - [Kubesec](https://github.com/marketplace/actions/controlplane-kubesec) by ControlPlane 702 | - [Prisma Cloud IaC Scan](https://github.com/prisma-cloud-shiftleft/iac-scan-action) by Palo Alto Prisma Cloud 703 | - Commercial Requirement for Private Repositories 704 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 705 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 706 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 707 | - [Trivy](https://github.com/aquasecurity/trivy-action) by Aqua Security 708 | 709 | ### Mobile 710 | 711 | - [Checkmarx](https://checkmarx.com) 712 | - Commercial Requirement for Private Repositories 713 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) by Synopsys 714 | - Commercial Requirement for Private Repositories 715 | - [DefenseCode ThunderScan](https://www.defensecode.com/thunderscan-sast/) by DefenseCode 716 | - Commercial Requirement for Private Repositories 717 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 718 | - [Mobile-Ios Example](https://github.com/octodemo/advance-security-mobile-ios) 719 | - [Mobile-Android Example](https://github.com/octodemo/advance-security-mobile-android) 720 | - [NowSecure Mobile Scanning](https://github.com/marketplace/actions/nowsecure) 721 | - Commercial Requirement 722 | 723 | ### OpenAPI 724 | 725 | - [42Crunch API Security Audit](https://github.com/42Crunch/api-security-audit-action) by 42crunch 726 | 727 | ### Terraform 728 | 729 | - [Accurics](https://github.com/accurics/accurics-action) 730 | - Commercial Requirement for Private Repositories 731 | - [Bridgecrew (Checkov)](https://github.com/bridgecrewio/checkov) by Bridgecrew 732 | - Commercial Requirement for Private Repositories 733 | - [Terraform Example](https://github.com/octodemo/advance-security-terraform/blob/master/.github/workflows/bridgecrew-action.yml) 734 | - [CodeScan](https://github.com/codescan-io/codescan-scanner-action) 735 | - Commercial Requirement for Private Repositories 736 | - [KICS](https://github.com/Checkmarx/kics) by Checkmarx 737 | - [Kubesec](https://github.com/controlplaneio/kubesec-action) 738 | - [Terraform Example](https://github.com/controlplaneio/kubesec-action#using-kubesec-with-github-code-scanning) 739 | - [Prisma Cloud IaC Scan](https://github.com/prisma-cloud-shiftleft/iac-scan-action) by Palo Alto Prisma Cloud 740 | - Commercial Requirement for Private Repositories 741 | - [ShiftLeft Security Scan](https://github.com/ShiftLeftSecurity/scan-action) by ShiftLeft 742 | - [Open Source Tool Aggregator](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools) 743 | - [Workflow Example](https://github.com/octodemo/advance-security-php/blob/main/.github/workflows/shiftleft-analysis.yml) 744 | - [Snyk Infrastructure as Code](https://github.com/snyk/actions/tree/master/iac) by Snyk 745 | - Commercial Requirement for Private Repositories 746 | - [Trivy](https://github.com/aquasecurity/trivy-action) by Aqua Security 747 | - [TFSec](https://github.com/tfsec/tfsec) by Aqua Security (joined in July 2021) 748 | - [Workflow Example](https://github.com/tfsec/tfsec/blob/master/.github/workflows/tfsec.yml) 749 | - [Terraform Example](https://github.com/octodemo/advance-security-terraform/blob/master/.github/workflows/tfsec-action.yml) 750 | 751 | ### Windows Containers 752 | 753 | - [Anchore](https://github.com/anchore/scan-action) 754 | 755 | 756 | 757 | ## References 758 | -------------------------------------------------------------------------------- /code-scanning-guides/sandwich-tracing.md: -------------------------------------------------------------------------------- 1 | ### Getting started with CodeQL sandwich tracing 2 | 3 | Let's learn how to sandwich trace via the CodeQL CLI on our local machines. First let's download the CodeQL bundle! Head over here and download the approprate bundle for your OS: https://github.com/github/codeql-action/releases 4 | Once it's downloaded, untar the content to a CodeQL home folder and you can add CodeQL to your path if you'd like 5 | 6 | ``` 7 | export PATH="/Documents/codeql-home/codeql:$PATH" 8 | ``` 9 | 10 | Check to make sure you can use the CodeQL CLI 11 | 12 | ``` 13 | codeql --version 14 | ``` 15 | 16 | Now we need to use the CodeQL CLI on an actual repository. Let's start here with our GHAS training material: https://github.com/ghas-bootcamp/ghas-bootcamp 17 | There's multiple languages being used here, so for the purposes of this tutorial let's try to scan the Go portions of the codebase. Make sure you have the supported version of Go: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/ 18 | 19 | Clone this repository and `cd` into it. 20 | 21 | The first thing we gotta do when it comes to sandwich tracing is to init the CodeQL tools and provide a skeleton of the CodeQL database content. 22 | 23 | ``` 24 | codeql database init db-go --language=go --source-root . --begin-tracing 25 | ``` 26 | 27 | The output of the command looks something like this: 28 | 29 | ``` 30 | Resolving extractor go. 31 | Successfully loaded extractor Go (go) from /Documents/codeql-home/codeql/go. 32 | Created CodeQL database at /Documents/ghas-bootcamp/db-go. 33 | In order to initialise tracing, some environment variables need to be set in the shell your build will run in. 34 | A number of scripts to do this have been created in /Documents/ghas-bootcamp/db-go/temp/tracingEnvironment. 35 | Please run one of these scripts before invoking your build command. 36 | 37 | Based on your operating system, we recommend you run: 38 | source /Documents/ghas-bootcamp/db-go/temp/tracingEnvironment/start-tracing.sh 39 | ``` 40 | 41 | As it suggests, let's source some environment variables! 42 | 43 | ``` 44 | source /Documents/ghas-bootcamp/db-go/temp/tracingEnvironment/start-tracing.sh 45 | ``` 46 | 47 | These environment variables are needed for tracing. The next thing we need to do is extract the Go source code. CodeQL has built in tools to do this for you automatically via an `autobuild.sh` script. Let's use that here like so: 48 | 49 | ``` 50 | /Documents/codeql-home/codeql/go/tools/autobuild.sh 51 | ``` 52 | 53 | 54 | We're almost there to analyze land! Last thing we gotta do is wrap up the database with our finalize command: 55 | 56 | ``` 57 | codeql database finalize db-go 58 | ``` 59 | 60 | Within your codeql database directory (in this case `db-go`) you should notice a `db-go` directory which contains the db schemes and a `src.zip` which contains the source that was extracted. 61 | 62 | Now to analysis... let's reference our `db-go` and other parameters in the `analyze` command: 63 | 64 | ``` 65 | codeql database analyze db-go go-security-and-quality.qls --format=sarif-latest --output=codeql-go-results.sarif 66 | ``` 67 | 68 | There are three query suites we can choose from: 69 | 70 | - `$CODEQL_SUPPORT_LANGUAGE-code-scanning.qls` 71 | - `$CODEQL_SUPPORT_LANGUAGE-security-extended.qls` 72 | - `$CODEQL_SUPPORT_LANGUAGE-security-and-quality.qls` 73 | 74 | If you have the CodeQL bundle on path, you can reference these query suites by their filenames. If you don't, you can use the full path to the query suite 🎉 The CodeQL bundle contains the cached queries, so the "compiling" process is pretty fast. You'll then notice the queries being evaluated, and then the results are written to the SARIF file. 75 | 76 | You can inspect the SARIF file and see if the results array is empty or non-empty. 77 | 78 | When you're ready to upload the SARIF to the proper repository, use this command with the proper values for each required parameter: 79 | 80 | ``` 81 | codeql github upload-results --repository=$GITHUB_REPOSITORY --ref=$GITHUB_REF --commit=$GITHUB_SHA --sarif=codeql-go-results.sarif --github-auth-stdin= 82 | ``` 83 | 84 | ### Notes about sandwich tracing 85 | 86 | This is a _very simple_ example of how to sandwich trace and normally you wouldn't call out the `autobuild.sh` script for interpreted languages + Go, but when should you actually use sandwich tracing? Use it when: 87 | - [Autobuilding](https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#detecting-the-build-system) doesn't work on your codebase via the [first method of using the CLI](https://github.com/advanced-security/advanced-security-material/blob/main/code-scanning-guides/setup-codeql-cli.md) 88 | - You're not able to specify a [command line for the build](https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#specifying-build-commands). 89 | -------------------------------------------------------------------------------- /code-scanning-guides/setup-codeql-cli.md: -------------------------------------------------------------------------------- 1 | ### Getting started with the CodeQL CLI 2 | 3 | When you want to generate a CodeQL database locally and run the pre-compiled queries against it, this is the way to go. 4 | 5 | First let's download the CodeQL bundle! Head over [here](https://github.com/github/codeql-action/releases ) and download the approprate bundle for your operating system. 6 | Once it's downloaded, untar the content to a CodeQL home folder and you can add CodeQL to your path if you'd like 7 | 8 | ``` 9 | export PATH="/Documents/codeql-home/codeql:$PATH" 10 | ``` 11 | 12 | Check to make sure you can use the CodeQL CLI 13 | 14 | ``` 15 | codeql --version 16 | ``` 17 | 18 | Now we need to use the CodeQL CLI on an actual repository. Let's start here with our [GHAS training material](https://github.com/ghas-bootcamp/ghas-bootcamp) 19 | There's multiple languages being used here, so for the purposes of this tutorial let's try to scan the Javascript portions of the codebase. 20 | 21 | Clone this repository and `cd` into it. 22 | 23 | 24 | ### codeql database create 25 | 26 | The first thing we gotta do when it comes to CodeQL analysis is to create a CodeQL database. 27 | When it comes to interpreted languages and Go, CodeQL will use an autobuild.sh script that will extract the source code and create a snapshot database. 28 | When it comes to compiled languages, we require to build the source code in order to trace the build and create a snapshot database of it. 29 | You can rely on the autobuild.sh script as well, or you can supply your own build instructions via the `--command` flag, which can be used when invoking the `codeql database create` command. 30 | Please review this [list](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/) of currently supported languages and frameworks. 31 | 32 | 33 | ``` 34 | codeql database create db --language=javascript 35 | ``` 36 | 37 | CodeQL will create the `db` directory and will choose the autobuild.sh script for the specified languages in order to begin the extraction process. 38 | CodeQL will also finalize the database at the specified `db` directory. Within your codeql database directory (in this case `db`) 39 | you should notice a db-javascript directory which contains the db schemes and a src.zip which contains the source that was extracted. 40 | 41 | #### Optional: Importing the CodeQL database to Visual Studios 42 | You can actually take this database and import it to your Visual Studios workspace. 43 | To get started on that, please go to this [repository](https://github.com/github/vscode-codeql-starter) and follow the instructions on how to setup the CodeQL starter workspace, as well as installing the CodeQL plugin. 44 | Once you have the CodeQL plugin installed, import the database you created in this step and try to run a javascript query against the database. 45 | 46 | 47 | ### codeql database analyze 48 | 49 | Now that we have a database to work with, let's run some queries against it! We offer three types of CodeQL query suites: 50 | 51 | - `$CODEQL_SUPPORT_LANGUAGE-code-scanning.qls` 52 | - `$CODEQL_SUPPORT_LANGUAGE-security-extended.qls` 53 | - `$CODEQL_SUPPORT_LANGUAGE-security-and-quality.qls` 54 | 55 | If you have the CodeQL bundle on path, you can reference these query suites by their filenames. If you don't, you can use the full path to the query suite. 56 | As mentioned in the beginning, the queries from the CodeQL bundle are pre-compiled. 57 | If you have a custom query suite, you will see that CodeQL will create a compiled query plan. 58 | 59 | ``` 60 | codeql database analyze db javascript-code-scanning.qls --format=sarif-latest --output=codeql-javascript-results.sarif 61 | ``` 62 | 63 | You will see the queries being evaluated. When this process is done, a SARIF should have been created. The SARIF contains results from the analysis. 64 | If the results array is empty, it means no results were found. If you want to view the SARIF, you can use `jq` to parse through it, or you can use a SARIF Viewer, such as this [one](https://marketplace.visualstudio.com/items?itemName=WDGIS.MicrosoftSarifViewer). Also if you have the `vs-codeql-starter` [workspace](https://github.com/github/vscode-codeql-starter), you can run particular queries against an imported CodeQL database and see the analysis in the IDE. 65 | 66 | Here are some advanced things to note: 67 | - When dealing with multiple analyses for the same commit (whether you're analysing multiple languages or have parallelized builds for a monorepo), make sure to use the `--sarif-category` flag to categorize the analyses. 68 | Failure to do so, in particular on a pull request, can cause confusion in that Code Scanning may not be able to detect a baseline analysis to compare the PR results. 69 | - Use this [endpoint](https://docs.github.com/en/rest/reference/code-scanning#list-code-scanning-analyses-for-a-repository) to list the CodeQL analyses of a repository, so that you can inspect the category for each analysis. 70 | - This is especially important for the next step. 71 | 72 | ### codeql github upload-results 73 | 74 | This step is typically used when you want to see the SARIF in the Code Scanning alerts UI. It's typically used when you want to post results to the default branch of a repository for the first time (baseline analysis) or to a pull request to see any security alert annotations. 75 | 76 | Here are some advanced things to note: 77 | - When posting the analysis for the first time to a default analysis, make sure you define a `--sarif-category`. That way the analyses for subsequent pull requests can also share the same category value. 78 | Note that this kind of depends on how you're running the builds (whether or not you've broken down a monorepo into separate analyses or you have multiple scans due to multiple languaages) but typically just starting out, 79 | just make sure to have the same category value for subsequent scans, so that Code Scannning can easily figure out what the basline analysis is to compare subsequent analyses. 80 | 81 | The `--ref` and `--commit` flag combinations can be one of the following: 82 | - `refs/pulls//merge` + MERGE commit 83 | - `refs/heads/` + HEAD commit 84 | - ` curl -H "Accept: application/vnd.github.v3+json" \\n -H "Authorization: token $GH_TOKEN" \\n https://api.github.com/repos///pulls/ | jq '.merge_commit_sha'` 85 | - The merge commit is a commit created to make sure PR checks are ran; this commit doesn't exist in the actual source tree/`git log`. 86 | 87 | ``` 88 | codeql github upload-results --repository=$GITHUB_REPOSITORY --ref=$GITHUB_REF --commit=$GITHUB_SHA --sarif=codeql-javascript-results.sarif --github-auth-stdin= 89 | ``` 90 | 91 | After running this command, you should see results on the Code Scanning alerts page for the particular `ref`. If you posted the analysis for a pull request, if there are any alerts, you should see a `Code scanning results` check too. 92 | 93 | ### References: 94 | - https://codeql.github.com/docs/codeql-cli/manual/database-create/ 95 | - https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 96 | - https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 97 | - https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#about-generating-code-scanning-results-with-codeql-cli 98 | -------------------------------------------------------------------------------- /code-scanning-guides/synthetic-applications/README.md: -------------------------------------------------------------------------------- 1 | # Synthetic Applications 2 | 3 | ## What are Synthetic Applications? 4 | 5 | Synthetic applications are a type of application that is not a real application but is created for the purpose of testing and validating the functionality of a SAST solution. 6 | They are often used in scenarios where real applications are not available or practical to use, such as in testing environments or for demonstration purposes. 7 | 8 | ## Enaling Additional Queries 9 | 10 | The quickest optional to extend CodeQL for Synthetic Applications is using [the GitHub SecurityLab query packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). 11 | 12 | ### GitHub Actions 13 | 14 | 1. [Switch to "Advanced Setup"](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning) 15 | 2. Update the `github/codeql-action/init` step with the following setting: 16 | 17 | ```yaml 18 | - name: Initialize CodeQL 19 | uses: github/codeql-action/init@v3 20 | with: 21 | # ... 22 | config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/synthetics.yml@main 23 | ``` 24 | 25 | Once run this will pull in additional queries and another configuration options for the application. 26 | 27 | ## List of Guides 28 | 29 | | Name | Link / Repository | Docs | Workflow | 30 | | -------------------- | ------------------------------------------------------------- | -------------------------- | ------------------------------- | 31 | | OWASP WebGoat (Java) | [GitHub Repository](https://github.com/WebGoat/WebGoat) | [Docs](./owasp-webgoat.md) | [Workflow](./owasp-webgoat.yml) | 32 | | Juice Shop | [GitHub Repository](https://github.com/juice-shop/juice-shop) | [Docs](./juice-shop.md) | [Workflow](./juice-shop.yml) | 33 | -------------------------------------------------------------------------------- /code-scanning-guides/synthetic-applications/juice-shop.md: -------------------------------------------------------------------------------- 1 | # Juice Shop 2 | 3 | > OWASP Juice Shop is probably the most modern and sophisticated insecure web application! 4 | > It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! 5 | > Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! 6 | 7 | ## Workflow(s) 8 | 9 | [See full Actions workflow here](./juice-shop.yml) 10 | 11 | ## Guide 12 | 13 | Use the [GitHub SecurityLab synthetic application CodeQL Configuration file](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/configs/synthetics.yml) to scan the Juice Shop application. 14 | This will do the following: 15 | 16 | 1. Enable additional queries to run 17 | 2. Enable Local Threat Models 18 | - This will include `local` and `responses` threat models for the application testing 19 | 3. Ignore common paths with tests, samples, etc. 20 | -------------------------------------------------------------------------------- /code-scanning-guides/synthetic-applications/juice-shop.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL Advanced" 2 | 3 | on: 4 | push: 5 | pull_request: 6 | 7 | jobs: 8 | analyze: 9 | name: Analyze (${{ matrix.language }}) 10 | runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} 11 | permissions: 12 | security-events: write 13 | packages: read 14 | actions: read 15 | contents: read 16 | 17 | strategy: 18 | fail-fast: false 19 | matrix: 20 | include: 21 | - language: actions 22 | build-mode: none 23 | - language: javascript-typescript 24 | build-mode: none 25 | - language: python 26 | build-mode: none 27 | 28 | steps: 29 | - name: Checkout repository 30 | uses: actions/checkout@v4 31 | 32 | - name: Initialize CodeQL 33 | uses: github/codeql-action/init@v3 34 | with: 35 | languages: ${{ matrix.language }} 36 | build-mode: ${{ matrix.build-mode }} 37 | config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/synthetics.yml@main 38 | 39 | - name: Perform CodeQL Analysis 40 | uses: github/codeql-action/analyze@v3 41 | with: 42 | category: "/language:${{matrix.language}}" -------------------------------------------------------------------------------- /code-scanning-guides/synthetic-applications/owasp-webgoat.md: -------------------------------------------------------------------------------- 1 | # OWASP WebGoat 2 | 3 | [A full Actions workflow can be found here](./owasp-webgoat.yml) 4 | 5 | ## Common Issues 6 | 7 | Scanning OWASP WebGoat can have some issues right out of the box where CodeQL might find very little or worse not find anything at all. 8 | This is due to the following: 9 | 10 | 1. WebGoat uses JDK 17 11 | - Action uses a different JDK by default. Use the `actions/setup-java` action. 12 | 2. Uses Project Lombok 13 | - [support added to CodeQL natively in v2.14.4](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/) 14 | 3. Dependencies are not all present in Dependency Graph 15 | - Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions) 16 | 4. Vulnerabilities not detected. 17 | - Enhance CodeQL to use a custom configuration file that broadens the threat model and pulls in additional expirmental, low precision, and community packs/queries. Note that this may include alerts with elevated false positive rates due to lower precision. 18 | - See: [Synthetics.yml](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/tree/main/configs#synthetics) 19 | - The default threat model includes remote sources of untrusted data. This config will also [expand the threat model to include local sources](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models): `threat-models: local` 20 | -------------------------------------------------------------------------------- /code-scanning-guides/synthetic-applications/owasp-webgoat.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | # The branches below must be a subset of the branches above 8 | branches: [ main ] 9 | workflow_dispatch: 10 | 11 | permissions: 12 | actions: read 13 | contents: read 14 | security-events: write 15 | 16 | jobs: 17 | analyze: 18 | name: Analyze 19 | runs-on: ubuntu-latest 20 | 21 | strategy: 22 | fail-fast: false 23 | matrix: 24 | language: [ 'java', 'javascript' ] 25 | 26 | steps: 27 | - uses: actions/checkout@v4 28 | 29 | # WebGoat requires Java/JDK 17 30 | - name: Set up JDK 17 31 | if: matrix.language == 'java' 32 | uses: actions/setup-java@v4 33 | with: 34 | distribution: 'temurin' 35 | java-version: 17 36 | architecture: x64 37 | 38 | - name: Initialize CodeQL 39 | uses: github/codeql-action/init@v3 40 | with: 41 | languages: ${{ matrix.language }} 42 | # [optional] enabled extended queries 43 | # queries: +security-extended,security-and-quality 44 | # [optional] Field Config - standard packs, extensions, and extra packs 45 | config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/synthetics.yml@main 46 | 47 | - name: Autobuild 48 | uses: github/codeql-action/autobuild@v3 49 | 50 | # Run the Analysis 51 | - name: Perform CodeQL Analysis 52 | uses: github/codeql-action/analyze@v3 53 | 54 | # Submit Maven Dependency Tree to GitHub 55 | - name: Maven Dependency Tree Dependency Submission 56 | if: matrix.language == 'java' 57 | uses: advanced-security/maven-dependency-submission-action@v3 58 | -------------------------------------------------------------------------------- /code-scanning-guides/uploading-pr-analysis.md: -------------------------------------------------------------------------------- 1 | ### Uploading SARIF from CodeQL Analysis via the CodeQL CLI to GitHub Pull Request 2 | 3 | Example: https://github.com/advanced-security/potential-barnacle/pulls 4 | 5 | 0. Set `GH_TOKEN` to access token and other env vars, such as GITHUB_REPOSITORY, REF, etc. 6 | 7 | 1. Checkout `cmboling-patch-2` branch 8 | 9 | 2. List current analyses uploaded to repository: 10 | 11 | ``` 12 | curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_TOKEN" \ 13 | https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses 14 | ``` 15 | 16 | Example response: 17 | 18 | ``` 19 | { 20 | "ref": "refs/heads/main", 21 | "commit_sha": "bcc382d080f404d1cabde26f065769a7d370613e", 22 | "analysis_key": ".github/workflows/codeql-analysis.yml:analyze", 23 | "environment": "{\"language\":\"go\"}", 24 | "category": ".github/workflows/codeql-analysis.yml:analyze/language:go", 25 | "error": "", 26 | "created_at": "2021-10-04T23:57:52Z", 27 | "results_count": 4, 28 | "rules_count": 27, 29 | "id": 13636724, 30 | "url": "https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses/13636724", 31 | "sarif_id": "e1a0d738-256e-11ec-91ca-90948254c7ec", 32 | "tool": { 33 | "name": "CodeQL", 34 | "guid": null, 35 | "version": "2.6.2" 36 | }, 37 | "deletable": true, 38 | "warning": "" 39 | } 40 | ``` 41 | 42 | 3. Create the CodeQL db: 43 | 44 | ``` 45 | codeql database create db --language=go 46 | ``` 47 | 48 | 4. Run CodeQL analysis and define `--sarif-category` to be the value from the baseline analysis' `category` value 49 | ``` 50 | codeql database analyze db go-security-and-quality.qls --format=sarif-latest --output=results3.sarif --sarif-category=".github/workflows/codeql-analysis.yml:analyze/language:go" 51 | ``` 52 | 53 | 5. Get the merge commit sha and set COMMIT_SHA env var 54 | ``` 55 | curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_TOKEN" \ 56 | https://api.github.com/repos/advanced-security/potential-barnacle/pulls/2 | jq '.merge_commit_sha' 57 | ``` 58 | 6. Upload results 59 | 60 | ``` 61 | codeql github upload-results \ 62 | --repository=advanced-security/potential-barnacle \ 63 | --ref=refs/pull/2/merge --sarif=results3.sarif \ 64 | --github-auth-stdin=$GH_TOKEN \ 65 | --commit=$COMMIT_SHA 66 | ``` 67 | 68 | 7. List analyses again 69 | 70 | ``` 71 | curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_TOKEN" \ 72 | https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses 73 | ``` 74 | Example response: 75 | ``` 76 | [ 77 | { 78 | "ref": "refs/pull/2/merge", 79 | "commit_sha": "6632c624919fbc9c607cb442603d92800eaa4f50", 80 | "analysis_key": "(default)", 81 | "environment": "{}", 82 | "category": ".github/workflows/codeql-analysis.yml:analyze/language:go", 83 | "error": "", 84 | "created_at": "2021-10-05T00:15:44Z", 85 | "results_count": 6, 86 | "rules_count": 48, 87 | "id": 13637768, 88 | "url": "https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses/13637768", 89 | "sarif_id": "61ac3952-2571-11ec-839e-a7ea85c88149", 90 | "tool": { 91 | "name": "CodeQL", 92 | "guid": null, 93 | "version": "2.6.2" 94 | }, 95 | "deletable": true, 96 | "warning": "" 97 | }, 98 | { 99 | "ref": "refs/pull/1/merge", 100 | "commit_sha": "8f0b5d2dbe425849ba6a9553d1a37fb2c45f7c26", 101 | "analysis_key": "(default)", 102 | "environment": "{}", 103 | "category": "", 104 | "error": "", 105 | "created_at": "2021-10-05T00:04:21Z", 106 | "results_count": 7, 107 | "rules_count": 48, 108 | "id": 13637029, 109 | "url": "https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses/13637029", 110 | "sarif_id": "caaef98c-256f-11ec-813f-0d31916b54b7", 111 | "tool": { 112 | "name": "CodeQL", 113 | "guid": null, 114 | "version": "2.6.2" 115 | }, 116 | "deletable": true, 117 | "warning": "" 118 | }, 119 | { 120 | "ref": "refs/heads/main", 121 | "commit_sha": "bcc382d080f404d1cabde26f065769a7d370613e", 122 | "analysis_key": ".github/workflows/codeql-analysis.yml:analyze", 123 | "environment": "{\"language\":\"go\"}", 124 | "category": ".github/workflows/codeql-analysis.yml:analyze/language:go", 125 | "error": "", 126 | "created_at": "2021-10-04T23:57:52Z", 127 | "results_count": 4, 128 | "rules_count": 27, 129 | "id": 13636724, 130 | "url": "https://api.github.com/repos/advanced-security/potential-barnacle/code-scanning/analyses/13636724", 131 | "sarif_id": "e1a0d738-256e-11ec-91ca-90948254c7ec", 132 | "tool": { 133 | "name": "CodeQL", 134 | "guid": null, 135 | "version": "2.6.2" 136 | }, 137 | "deletable": true, 138 | "warning": "" 139 | } 140 | ] 141 | ``` 142 | 143 | You can see the categories are matched between the default branch and the 2nd PR, whereas the [first PR](https://github.com/advanced-security/potential-barnacle/pull/1) has a blank category value, which is why Code Scanning can't "find" the baseline analysis to match with the analysis from the first PR. 144 | -------------------------------------------------------------------------------- /code-scanning-scripts/README.md: -------------------------------------------------------------------------------- 1 | ### Code scanning scripts 2 | 3 | 4 | - [ ] [Code scanning bulke enable](https://github.com/mario-campos/gh-code-scanning) 5 | - [ ] [Run CodeQL analysis on a pull request](https://github.com/advanced-security/advanced-security-material/blob/main/code-scanning-scripts/run-pr-codeql-analysis.sh) 6 | -------------------------------------------------------------------------------- /code-scanning-scripts/combine-n-databases.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # For n number of dirs, initialise each of them. In this example I have two dirs at the root: 4 | codeql database init dbs/db-js1 --language=javascript --source-root dir1 --overwrite 5 | codeql database init dbs/db-js2 --language=javascript --source-root dir2 --overwrite 6 | 7 | # After db skeletons are created, use the trace command to call out the extractor/add build instructions 8 | codeql database trace-command dbs/db-js1 -- /Users/cmboling/Projects/codeql-home/codeql-latest/javascript/tools/autobuild.sh 9 | codeql database trace-command dbs/db-js2 -- /Users/cmboling/Projects/codeql-home/codeql-latest/javascript/tools/autobuild.sh 10 | 11 | # Then import n unfinalized dbs to the target db 12 | codeql database import dbs/db-js1 db-js2 13 | codeql database finalize --finalize-dataset db-js1 14 | 15 | # Analyze target db as usual 16 | codeql database analyze db-js1 javascript-code-scanning.qls --format=sarif-latest --output=codeql-javascript-results.sarif 17 | -------------------------------------------------------------------------------- /code-scanning-scripts/get-languages.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_TOKEN" \ 4 | https://api.github.com/repos/advanced-security/ghas-bootcamp-dryrun/languages | \ 5 | jq 'with_entries(select([.key] | inside(["Go", "Java", "JavaScript", "Python", "C++", "C#", "C", "TypeScript"])) | if .key == "C" then .key = "cpp" else . end | if .key == "C#" then .key = "csharp" else . end | if .key == "C++" then .key = "cpp" else . end | if .key == "Go" then .key = "go" else . end | if .key == "Java" then .key = "java" else . end | if .key == "JavaScript" then .key = "javascript" else . end | if .key == "Python" then .key = "python" else . end | if .key == "TypScript" then .key = "typescript" else . end)' | jq "keys" 6 | -------------------------------------------------------------------------------- /code-scanning-scripts/run-pr-codeql-analysis.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o noglob 5 | set -o nounset 6 | set -o pipefail 7 | 8 | GH_TOKEN=$1 9 | GH_ORG=advanced-security 10 | GH_REPO=potential-barnacle 11 | GH_PULL_REQUEST_NUMBER=3 12 | GH_REF=refs/pull/$GH_PULL_REQUEST_NUMBER/merge 13 | 14 | CODEQL_DATABASE=db 15 | CODEQL_LANGUAGE=go 16 | CODEQL_QUERY_SUITE=go-security-and-quality.qls 17 | CODEQL_SARIF_RESULTS=codeql-go-results.sarif 18 | CODEQL_SARIF_CATEGORY=.github/workflows/codeql-analysis.yml:analyze/language:go 19 | 20 | # run a single language analysis for a PR 21 | 22 | # get merge commit sha 23 | GH_MERGE_COMMIT_SHA=$(curl -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_TOKEN" https://api.github.com/repos/$GH_ORG/$GH_REPO/pulls/$GH_PULL_REQUEST_NUMBER | jq '.merge_commit_sha' | sed -e 's/^"//' -e 's/"$//') 24 | 25 | # check codeql --version 26 | codeql --version 27 | 28 | # codeql database create 29 | codeql database create $CODEQL_DATABASE --language=$CODEQL_LANGUAGE --overwrite 30 | 31 | # codeql database analyze 32 | codeql database analyze $CODEQL_DATABASE $CODEQL_QUERY_SUITE --output=$CODEQL_SARIF_RESULTS --sarif-category=$CODEQL_SARIF_CATEGORY --format=sarif-latest 33 | 34 | # codeql github upload-results 35 | codeql github upload-results --repository=$GH_ORG/$GH_REPO --ref=$GH_REF --sarif=$CODEQL_SARIF_RESULTS --github-auth-stdin=$GH_TOKEN --commit=$GH_MERGE_COMMIT_SHA 36 | -------------------------------------------------------------------------------- /code-scanning-workflows/azure-pipeline-00.yml: -------------------------------------------------------------------------------- 1 | steps: 2 | # Download the CodeQL CLI and query packs... 3 | # Check out the repository ... 4 | 5 | # Tasks prior to executing the build, e.g. restore NuGet dependencies... 6 | 7 | # Initialize the CodeQL database. 8 | # In this example, the CodeQL CLI has been downloaded and placed on the PATH. 9 | # If no language is specified, a GitHub Apps or personal access token must be passed through stdin 10 | # to autodetect the language. 11 | - task: CmdLine@1 12 | displayName: Initialize CodeQL database 13 | inputs: 14 | # Assumes the source code is checked out to the current working directory. 15 | # Creates a database at `/db` 16 | script: "codeql database init --language csharp --trace-process-level 3 --source-root . --begin-tracing db" 17 | 18 | # Read the generated environment variables and values, 19 | # and set them so they are available for subsequent commands 20 | # in the build pipeline. This is done in PowerShell in this example. 21 | - task: PowerShell@1 22 | displayName: Set CodeQL environment variables 23 | inputs: 24 | targetType: inline 25 | script: > 26 | $json = Get-Content $(System.DefaultWorkingDirectory)/db/temp/tracingEnvironment/start-tracing.json | ConvertFrom-Json 27 | $json.PSObject.Properties | ForEach-Object { 28 | $template = "##vso[task.setvariable variable=" 29 | $template += $_.Name 30 | $template += "]" 31 | $template += $_.Value 32 | echo "$template" 33 | } 34 | 35 | # Execute the pre-defined build step. Note the `msbuildArgs` variable. 36 | - task: VSBuild@1 37 | inputs: 38 | solution: '**/*.sln' 39 | # Disable MSBuild shared compilation for C# builds. 40 | msbuildArgs: /p:OutDir=$(Build.ArtifactStagingDirectory) /p:UseSharedCompilation=false 41 | platform: Any CPU 42 | configuration: Release 43 | # Execute a clean build, in order to remove any existing build artifacts prior to the build. 44 | clean: True 45 | displayName: Visual Studio Build 46 | 47 | - task: CmdLine@2 48 | displayName: Finalize CodeQL database 49 | inputs: 50 | script: 'codeql database finalize db' 51 | 52 | # Other tasks go here, 53 | # e.g. `codeql database analyze` 54 | # and `codeql github upload-results` ... 55 | -------------------------------------------------------------------------------- /code-scanning-workflows/reusable_code_scanning-00.yml: -------------------------------------------------------------------------------- 1 | name: "Code Analysis" 2 | 3 | # this workflow can be stored in a centralized repo and called externally 4 | # jobs: 5 | # code_analysis: 6 | # uses: [REPO]/.github/workflows/code_analysis.yml@main 7 | 8 | on: 9 | workflow_dispatch: #for testing 10 | workflow_call: #for composition 11 | 12 | jobs: 13 | detect-lang: 14 | runs-on: ubuntu-latest 15 | outputs: 16 | linguist_languages: ${{ steps.linguist_languages.outputs.languages }} 17 | codeql_languages: ${{ steps.codeql_languages.outputs.languages }} 18 | steps: 19 | - id: linguist_languages 20 | run: echo "::set-output name=languages::$(gh api repos/${GITHUB_REPOSITORY}/languages)" 21 | - id: codeql_languages 22 | # builds the list of languages which are both present in the repo and supported by CodeQL 23 | # remove from the dictionary the languages that should not be considered (e.g .-[null, "go"]) 24 | run: | 25 | echo "::set-output name=languages::$(gh api repos/${GITHUB_REPOSITORY}/languages -q '[ 26 | {"C":"cpp", "C++":"cpp", "C#":"csharp", "Go":"go", "Java":"java", "JavaScript":"javascript", 27 | "TypeScript":"javascript", "Python":"python", "Ruby":"ruby"}[keys[]]] | unique -[null]')" 28 | env: 29 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 30 | 31 | codeql-analysis: 32 | needs: [detect-lang] 33 | # skip the analysis when the list of languages is empty 34 | if: needs.detect-lang.outputs.codeql_languages != '[]' 35 | runs-on: ubuntu-latest 36 | permissions: 37 | actions: read 38 | contents: read 39 | security-events: write 40 | 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | language: ${{ fromJSON(needs.detect-lang.outputs.codeql_languages) }} 45 | # eventually exclude languages 46 | exclude: 47 | - language: ruby 48 | 49 | steps: 50 | - name: Checkout repository 51 | uses: actions/checkout@v2 52 | with: 53 | fetch-depth: 0 54 | 55 | # Initializes the CodeQL tools for scanning. 56 | - name: Initialize CodeQL 57 | uses: github/codeql-action/init@v1 58 | with: 59 | languages: ${{ matrix.language }} 60 | 61 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 62 | # If this step fails, then you should remove it and run the build manually (see below) 63 | - name: Autobuild 64 | uses: github/codeql-action/autobuild@v1 65 | 66 | # perform the analysis 67 | - name: Perform CodeQL Analysis 68 | uses: github/codeql-action/analyze@v1 69 | 70 | tsqllint-analysis: 71 | name: Codacy Security Scan 72 | needs: [detect-lang] 73 | if: contains(needs.detect-lang.outputs.linguist_languages, '"TSQL"') 74 | runs-on: ubuntu-latest 75 | steps: 76 | # Checkout the repository to the GitHub Actions runner 77 | - name: Checkout code 78 | uses: actions/checkout@v2 79 | 80 | # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis 81 | - name: Run Codacy Analysis CLI 82 | uses: codacy/codacy-analysis-cli-action@1.1.0 83 | with: 84 | tool: tsqllint 85 | verbose: true 86 | output: ${{ runner.temp }}/results.sarif 87 | format: sarif 88 | # Adjust severity of non-security issues 89 | gh-code-scanning-compat: true 90 | # Force 0 exit code to allow SARIF file generation 91 | # This will handover control about PR rejection to the GitHub side 92 | max-allowed-issues: 2147483647 93 | 94 | - name: Rewrite Codacy SARIF urls to relative paths 95 | run: sed -i 's#"uri":"file:///codacy/#"uriBaseId":"%SRCROOT%","uri":"#g' ${{ runner.temp }}/results.sarif 96 | 97 | # Upload the SARIF file generated in the previous step 98 | - name: Upload SARIF results file 99 | uses: github/codeql-action/upload-sarif@v1 100 | with: 101 | sarif_file: ${{ runner.temp }}/results.sarif 102 | 103 | - uses: actions/upload-artifact@v2 104 | with: 105 | name: results.sarif 106 | path: ${{ runner.temp }}/results.sarif 107 | 108 | # 109 | # Runs Rubocop for Ruby 110 | # 111 | rubocop-analysis: 112 | name: Rubocop Security Scan 113 | needs: [detect-lang] 114 | if: contains(needs.detect-lang.outputs.linguist_languages, '"Ruby"') 115 | runs-on: ubuntu-latest 116 | strategy: 117 | fail-fast: false 118 | steps: 119 | - name: Checkout repository 120 | uses: actions/checkout@v2 121 | # If running on a self-hosted runner, check it meets the requirements 122 | # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners 123 | - name: Set up Ruby 124 | uses: ruby/setup-ruby@v1 125 | with: 126 | ruby-version: 2.6 127 | - name: Install Code Scanning integration 128 | run: gem install 'code-scanning-rubocop' 129 | - name: Rubocop run 130 | run: | 131 | bash -c " 132 | rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif 133 | [[ $? -ne 2 ]] 134 | " 135 | - name: Upload Sarif output 136 | uses: github/codeql-action/upload-sarif@v1 137 | with: 138 | sarif_file: rubocop.sarif 139 | -------------------------------------------------------------------------------- /codeql/JSP-scanning.md: -------------------------------------------------------------------------------- 1 | [JSP (Jakarta Server Pages / Java Server Pages)](https://en.wikipedia.org/wiki/Jakarta_Server_Pages) which is a Java server-side template rendering framework used heavily in the Java world. 2 | 3 | We don't have a full support of JSP, that said the CodeQL Product team have added support which currently is in Beta under feature flag support. 4 | Because of this the product team would love feedback from any customer that enables this feature. 5 | 6 | This is a guide to explain how to enable JSP support and where to provide feedback to the product team to make any improvements to this new feature. 7 | 8 | ## Features / Limitations 9 | 10 | The following features and limitations should be considered. 11 | 12 | - We only support (intercept) the Jasper JSP compiler. 13 | - For other compilers, JSP files may not be extracted. 14 | - Only JSP files actually configured to be pre-compiled as part of the build using Jasper will be extracted 15 | - In the same way that we only extract Java files that are compiled as part of the build 16 | - Extraction can be slow if there are many JSP files because the JSP pre-compilation compiles one file at a time 17 | - You may see a pause in the build logs where the JSP pre-compilation happens. 18 | - When viewing results, locations are mapped between raw JSP files and generated Java files 19 | 20 | ## Enabling JSP Support 21 | 22 | To enable JSP support, please make sure you are using the latest version on CodeQL CLI or using Actions in the Cloud (up to date). 23 | 24 | ### Step: 0: Enabling for Actions 25 | 26 | ```yaml 27 | 28 | env: 29 | CODEQL_EXTRACTOR_JAVA_JSP: true 30 | # ... 31 | jobs: 32 | analysis: 33 | # ... 34 | steps: 35 | # ... 36 | - name: Initialize CodeQL 37 | uses: github/codeql-action/init@v4 38 | with: 39 | languages: java 40 | # ... 41 | - name: Perform CodeQL Analysis 42 | uses: github/codeql-action/analyze@v3 43 | ``` 44 | 45 | ### Step 0: Enabling for the CLI 46 | 47 | ```bash 48 | export CODEQL_EXTRACTOR_JAVA_JSP=true 49 | # ... 50 | codeql database create \ 51 | --language="java" \ 52 | ./.codeql-db/codeql-java 53 | # ... 54 | ``` 55 | 56 | ### Step 1: Compiling JSP / JSTL 57 | 58 | In a lot of cases JSP isn't pre-compiled by Jasper compiler so we have to get the compile to execute and compile the JSP templates to generate Java code. 59 | 60 | **Example using Maven:** 61 | 62 | ```xml 63 | 64 | 65 | io.leonard.maven.plugins 66 | jspc-maven-plugin 67 | 70 | 3.3.4 71 | 72 | 73 | jspc 74 | 75 | compile 76 | 77 | 78 | false 79 | 80 | 81 | 82 | 83 | 84 | ``` 85 | 86 | ### Step 2: Configure Workflow 87 | 88 | 89 | ```yaml 90 | # Initializes the CodeQL tools for scanning. 91 | - name: Initialize CodeQL 92 | uses: github/codeql-action/init@v3 93 | with: 94 | languages: ${{ matrix.language }} 95 | # https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/tree/main/java/src/security/CWE-079 96 | queries: +githubsecuritylab/CodeQL-Community-Packs/java/src/security/CWE-079/XSSJSP.ql@main 97 | # [optional] Or add the Community Pack 98 | packs: githubsecuritylab/codeql-java-queries 99 | # ... 100 | - name: Perform CodeQL Analysis 101 | uses: github/codeql-action/analyze@v3 102 | with: 103 | # To help with mapping files 104 | # [note]: This will be depricated in the future 105 | # https://github.com/github/codeql-action/blob/4c3e5362829f0b0bb62ff5f6c938d7f95574c306/analyze/action.yml#L33-L41 106 | add-snippets: true 107 | ``` 108 | 109 | **Resources:** 110 | 111 | - https://leonardehrenfried.github.io/jspc-maven-plugin/compile-mojo.html 112 | - https://stackoverflow.com/tags/jstl/info 113 | - https://docs.spring.io/spring-framework/docs/3.2.x/spring-framework-reference/html/view.html 114 | - https://stackoverflow.com/questions/13648357/the-formform-tag-declares-that-it-accepts-dynamic-attributes-but-does-not-imple 115 | - https://stackoverflow.com/questions/4928271/how-to-install-jstl-the-absolute-uri-http-java-sun-com-jstl-core-cannot-be-r#answers 116 | -------------------------------------------------------------------------------- /codeql/ast-graph-generation.md: -------------------------------------------------------------------------------- 1 | ### AST Graph Generation 2 | Here are some examples on how to print out the AST: 3 | - [AST for Javascript](https://github.com/hohn/codeql-javascript) 4 | - [AST for C++](https://github.com/hohn/codeql-cpp-ast) 5 | -------------------------------------------------------------------------------- /codeql/uniform-setup-for-cli-and-vs-code.md: -------------------------------------------------------------------------------- 1 | An example of a setting up the codeql cli/library/vs code plugins together for version consistency can be found here: https://github.com/hohn/codeql-cli-vscode-setup 2 | -------------------------------------------------------------------------------- /reporting/advanced-security-reporting.md: -------------------------------------------------------------------------------- 1 | # Open Source Reporting Tools 2 | 3 | - Dependabot 4 | - [ ] https://github.com/mr-sherman/get-dependency-alerts-in-org 5 | - [ ] https://github.com/tonycch/get-dependabot-alerts-sample 6 | - [ ] https://github.com/andyfeller/gh-dependency-report 7 | - [ ] https://github.com/thedave42/generate-dependencies-csv-action 8 | - Code scanning 9 | - [ ] https://github.com/jhutchings1/get-code-scanning-alerts-in-org-sample 10 | - [ ] https://github.com/issc29/generate-vuln-report 11 | - [ ] https://github.com/marketplace/actions/get_code_scanning_result 12 | - [ ] https://github.com/marketplace/actions/github-advanced-security-api-to-csv 13 | - [ ] https://github.com/peter-murray/github-security-report-action 14 | - Secret scanning 15 | - [ ] GHES 3.1+: https://github.com/cmboling/get-secret-scanning-alerts-in-org-sample/tree/ghes/base-url-included 16 | - [ ] dotcom/GHEC: https://github.com/cmboling/get-secret-scanning-alerts-in-org-sample 17 | - Other 18 | - [ ] https://github.com/ThibaudLopez/GHAS 19 | - SIEM integrations 20 | - [ ] https://github.blog/2022-10-13-introducing-github-advanced-security-siem-integrations-for-security-professionals/ 21 | - [ ] https://github.blog/2023-03-10-introducing-github-vulnerability-management-integrations-for-security-professionals/ 22 | - [ ] https://resources.github.com/security/integrating-github-advanced-security-with-third-party-platforms/ 23 | -------------------------------------------------------------------------------- /reporting/ghes-mysql-connect.md: -------------------------------------------------------------------------------- 1 | ### SQL queries for Advanced Security metrics 2 | Normally you would use the APIs to get this data, use the Security Overview page to review GHAS rollout and/or use the webhooks to sync GHAS related information to Slack or some centralised security platform. 3 | If you're on GHES, you can get into the `ghes-console` and run some SQL queries to get pretty much the same data. 4 | 5 | If at all possible use the available APIs and webhooks to get this data. The method described here is reserved for users who have access to the `ghe-dbconsole` and have the intention of reading/getting information about Advanced Security rollout. 6 | 7 | The syntax to run this on the appliance is `echo ';' | ghe-dbconsole -y` OR run `ghe-dbconsole -y` and a `mysql` prompt will come up for you to run some queries. 8 | -------------------------------------------------------------------------------- /reporting/issues_csv/README.md: -------------------------------------------------------------------------------- 1 | A `powershell` script that fetches Code Scanning, Secret Scanning and Dependabot alerts for an organization and outputs them to a CSV file using `jq`. 2 | Includes the repository topics that might be used for filtering and grouping the alerts. 3 | -------------------------------------------------------------------------------- /reporting/issues_csv/code_scanning.jq: -------------------------------------------------------------------------------- 1 | ### the csv headers 2 | ["repo","severity","created","fixed","dismissed","dismissed reason","state","url","topics"], 3 | (.[]| 4 | ### the json path 5 | [.repository.name,.rule.severity,.created_at,.fixed_at,.dismissed_at,.dismissed_reason,.state,.html_url,($topics[][.repository.name]|join(" "))] 6 | ) | @csv 7 | -------------------------------------------------------------------------------- /reporting/issues_csv/dependabot.jq: -------------------------------------------------------------------------------- 1 | ### the csv headers 2 | ["repo","package","severity","CVSS","created","fixed","dismissed","dismissed reason","state","url","topics"], 3 | (.[].data.repository.vulnerabilityAlerts.edges[0].node | select(.!=null)| 4 | ### the json path 5 | [.repository.name, 6 | .securityVulnerability.package.name, 7 | .securityVulnerability.severity, 8 | .securityVulnerability.advisory.cvss.score, 9 | .createdAt, 10 | .fixedAt, 11 | .dismissedAt, 12 | .dismissReason, 13 | .state, 14 | ("https://github.com/beazley/"+.repository.name+"/security/dependabot/"+(.number|tostring)), 15 | ($topics[][.repository.name]|join(" "))] 16 | ) | @csv 17 | -------------------------------------------------------------------------------- /reporting/issues_csv/reporting.ps1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env pwsh 2 | $ORG = "mbaluda-org" 3 | 4 | ### FETCH TOPICS ### 5 | $topics = gh api --cache 5m orgs/$ORG/repos -q 'map(select(.name)|{(.name):(.topics)})|add' | jq -s 'add' 6 | $topics | Out-File topics_map.json -encoding utf8 7 | 8 | ### CODE SCANNING ALERTS ### 9 | gh api orgs/$ORG/code-scanning/alerts --method GET --paginate | jq -rf code_scanning.jq --slurpfile topics topics_map.json > code_scanning.csv 10 | 11 | ### SECRET SCANNING ALERTS ### 12 | gh api orgs/$ORG/secret-scanning/alerts --method GET --paginate | jq -rf secret_scanning.jq --slurpfile topics topics_map.json > secret_scanning.csv 13 | 14 | ### DEPENDABOT SCANNING ALERTS ### 15 | $repos = $topics | jq 'keys[]' 16 | $(foreach ($repo in $repos) { 17 | gh api graphql -F group=$ORG -F repo=$repo -f query=' 18 | query ($endCursor: String, $group: String!, $repo: String!) { 19 | repository(owner: $group, name: $repo) { 20 | vulnerabilityAlerts(first: 100, after: $endCursor) { 21 | edges { node { createdAt fixedAt dismissedAt dismissReason state securityVulnerability { package { name } severity advisory { cvss { score } } } repository { name } number } } 22 | pageInfo { hasNextPage endCursor } 23 | } 24 | } 25 | }' --paginate 26 | }) | jq -srf dependabot.jq --slurpfile topics topics_map.json > dependabot.csv 27 | -------------------------------------------------------------------------------- /reporting/issues_csv/secret_scanning.jq: -------------------------------------------------------------------------------- 1 | ### the csv headers 2 | ["repo","type","created","fixed","resolution","state","url","topics"], 3 | (.[] | select(.rule.severity!="severity")| 4 | ### the json path 5 | [.repository.name,.secret_type,.created_at,.resolved_at,.resolution,.state,.html_url,($topics[][.repository.name]|join(" "))] 6 | ) | @csv 7 | -------------------------------------------------------------------------------- /secret-scanning/secret-scanning-rollout-guidance.md: -------------------------------------------------------------------------------- 1 | ## Secret scanning rollout guidance 2 | 3 | Secret scanning can easily be enabled at the organization-level settings. GHES 3.2 will have an API that can help you enable secret scanning per repository basis. While this may help rollout secret scanning, we may need to strategize further by thinking about which organizations/repositories critically need secret scanning enabled. 4 | 5 | When you have many organizations within your enterprise, start thinking about how to rollout secret scanning in the following ways: 6 | 7 | - [ ] Retrieve a list of organizations and list them in order of priority when it comes to secret scanning 8 | - [ ] For each organization, are there known repositories where secrets are being used? 9 | 10 | With these two pieces in mind, set up a regular cadence of enabling secret scanning: 11 | 12 | - [ ] Figure out the number of organizations to enable in each iteration. 13 | - [ ] Set up a team who will lead this effort and help delegate responsibility on resolving secret scanning alerts. 14 | - [ ] In the process, figure out known patterns, and determine whether or not a secret-scanning.yml will help. 15 | - [ ] Develop team documentation on this rollout and document best practices on using access tokens. 16 | -------------------------------------------------------------------------------- /secret-scanning/user-defined-patterns-considerations.md: -------------------------------------------------------------------------------- 1 | - overall cost of scans on push is very low. it does not depend on LOC, only the size of the files. so they have a very small memory footprint unless you are pushing 100 mbs on each push. 2 | backfills/full history scans are more expensive, and are relative to the size of the repo, how well its maintained and how costly it is to run git commands. The load here is always one time when scanning is first enabled. 3 | - We provide configurability on how many scans of either type can be run at a given time. It can speeded up or slowed down to control the load on the system. The specific config names have changed from 3.0. 4 | Some key things that are different: 5 | - backfill scans are no longer capped at 15 mins, we run them till completion. 6 | - some of the defaults for how many backfill scans have changed (previously we used to run 10 every 10 mins, now we pick up 1 backfill job every 10 seconds as long as there isnt another active one in flight).. 7 | - everytime a user defined pattern is created, a backfill is triggered for all the repo(s) under scope. That can add additional load ad hoc. 8 | - You should expect to see more network traffic, particularly when backfills are run. thats because scans are no longer run on the file servers, they are run in their own jobs. For single VM, tahts mostly cross the loopback address, for cluster setups that across the job server and file server nodes. 9 | - no concerns for a 1000 repos that was discussed for Infosys. 10 | - If for this or any other customers we are talking about similar or higher scale but with a high number of active monorepos, i can see a raesonable load during backfills. For reference, i would consider that if you have a 1000 very large mono repos in a isntance with 10s of thousands of repos, that would require a bit more thought. 11 | - Note that in none of the cases above incremental or scan on push is a matter of concern. 12 | - To Control backfill traffic, customers can consider a more gradual rollout of scanning across repos in their orgs/instance. when enabled at the org level, we make an attempt to do so using some of the defaults i described, but rollout gives more control. 13 | for user defined patterns, a gradual rollout via enablement is not an option when its created at the org or enterprise level. I would highly recommend doing extensive testing with a repo for a new user defined pattern with data before applying it broadly. One option here for new customers is to create these first, and then rollout enablement, so that backfills for these are included as part of the backfills that are done at enablement. 14 | - In terms of resources usage 15 | - with controlled backfills and rollout without using user defined patterns, unless the instances are at the seams and have a couple of Gbs of memory available, you will be :thubs: .. 16 | -if the customer is also planning to use user defined patterns excessively (and i mean tens or hhundreds of patterns), you would want to have upto 10-20% more resources than the min, especially when the backfills are being run or user defined patterns are being created. 17 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/bazel.md: -------------------------------------------------------------------------------- 1 | # CodeQL using Bazel 2 | 3 | [Bazel](https://bazel.build/) is a build system used by some enterprises over other compilers to make their builds faster and scalable. 4 | Due to some of the features of Bazel, this does cause issues with analysing the build using CodeQL but this guide will describe some of the requirements needed to analyse the code correctly. 5 | 6 | 7 | ## Solution 8 | 9 | There are three major parts to making sure CodeQL analyses Bazel builds correctly. 10 | 11 | ```bash 12 | # This stops all running Bazel server processes 13 | bazel shutdown 14 | 15 | # This makes sure that Bazel doesn't use cached objects before building 16 | bazel clean --expunge 17 | 18 | # This builds the code with: 19 | # * --spawn_strategy=local : a local build strategy verses a distributed system 20 | # * --nouse_action_cache : prevents build caching that might prevent recompilation of source code 21 | bazel build --spawn_strategy=local --nouse_action_cache //:app 22 | ``` 23 | 24 | Here are example(s) of how this can be done: 25 | 26 | - [Java application using Bazel](https://github.com/affrae/quickjavahelloworld) by @affrae 27 | 28 | 29 | ## FAQ from customers 30 | 31 | #### `Can I build in parallel across different machines?` 32 | 33 | Sadly we do not support cross-machine compiling due to the fact CodeQL needs to hook into the build process and then create the TRAP files for each compiled component. 34 | 35 | 36 | #### `Can I use Bazel caching?` 37 | 38 | We do not currently support caching in an easy to use way. This requires maintaining a cached copy of the [TRAP files](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#trap-file) generated by CodeQL from previous Bazel builds, knowing which part is associated with which and which parts need to be newly created. 39 | If this is something the customer wants, this will require Services hours and Engineering to assist with. 40 | 41 | 42 | ## References 43 | - [TRAP files](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#trap-file) 44 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages-cpp.md: -------------------------------------------------------------------------------- 1 | # FAQ 2 | 3 | ## Does CodeQL need the resulting object files from the C++ build? 4 | 5 | CodeQL needs to monitor the actual build. Every time we see the build invoke the C++ compiler, we also "compile" the same source code with our own "compiler" that generates what we need for the actual analysis. We don't use the object files from the regular compiler at all. -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages-csharp.md: -------------------------------------------------------------------------------- 1 | Scanning a C# application with CodeQL 2 | 3 | # Build Failures 4 | 5 | ## [error]We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. 6 | 7 |
8 | Expand for sample workflow failure output 9 | 10 | ``` 11 | Exit code 1 12 | Attempting to locate build script 13 | Error: Could not auto-detect a suitable build method 14 | Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Failure invoking /opt/hostedtoolcache/CodeQL/0.0.0-20221010/x64/codeql/csharp/tools/autobuild.sh with arguments . 15 | 16 | Exit code 1 and error was: 17 | 18 | Error: Could not auto-detect a suitable build method 19 | 20 | CommandInvocationError: Failure invoking /opt/hostedtoolcache/CodeQL/0.0.0-20221010/x64/codeql/csharp/tools/autobuild.sh with arguments . 21 | 22 | Exit code 1 and error was: 23 | 24 | Error: Could not auto-detect a suitable build method 25 | 26 | at runTool (/home/runner/work/_actions/github/codeql-action/v2/lib/codeql.js:867:15) 27 | at processTicksAndRejections (node:internal/process/task_queues:96:5) 28 | at async Object.runAutobuild (/home/runner/work/_actions/github/codeql-action/v2/lib/codeql.js:559:13) 29 | at async runAutobuild (/home/runner/work/_actions/github/codeql-action/v2/lib/autobuild.js:97:5) 30 | at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/autobuild-action.js:71:17) 31 | at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/autobuild-action.js:88:9) 32 | ``` 33 |
34 | 35 | 36 | This error indicates there is a scenario where our [C# AutoBuilder](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#c) is unable to build your code. No sweat, check out some of the resources below to get you started: 37 | 38 | Ensure your required build tooling is installed your [runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources) 39 | - Windows 2019 runner 40 | - [Visual Studio 2019 Enterprise pre-installed](https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#visual-studio-enterprise-2019) 41 | - [.NET Framework Developer Pack](https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#net-framework) 42 | - [.NET Core SDK](https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#net-core-sdk) 43 | - Windows 2022 runner 44 | - [Visual Studio 2022 Enterprise pre-installed](https://github.com/actions/runner-images/blob/main/images/win/Windows2022-Readme.md#visual-studio-enterprise-2022) 45 | - [.NET Framework Developer Pack](https://github.com/actions/runner-images/blob/main/images/win/Windows2022-Readme.md#net-framework) 46 | - [.NET Core SDK](https://github.com/actions/runner-images/blob/main/images/win/Windows2022-Readme.md#net-core-sdk) 47 | 48 | 49 | If any custom tooling is required, consider pulling into your action via [custom script](https://docs.github.com/en/actions/using-github-hosted-runners/customizing-github-hosted-runners) 50 | 51 | 52 | ### DotNet (.NET standard / core ) 53 | Using `dotnet` is best documented at: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net. The [actions/setup-dotnet](https://github.com/actions/setup-dotnet) action can assist in configuring proper build tools. 54 | 55 | #### NuGet Error NU1301 56 | This can indicate your custom package server is not configured which may fail the `dotnet restore` command. For private package servers, the follwing guidance shows how to add package sources: [Setting up authentication for nuget feeds](https://github.com/actions/setup-dotnet#setting-up-authentication-for-nuget-feeds) 57 | 58 | #### NuGet.targets(132,5): warning : Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured. 59 | 60 | The `actions/setup-dotnet` action supports [setting up authentication for nuget feeds](https://github.com/actions/setup-dotnet#setting-up-authentication-for-nuget-feeds). Add this before the `autobuild` / custom build steps in your workflow: 61 | ```yml 62 | - uses: actions/setup-dotnet@v3 63 | with: 64 | source-url: https://nuget.pkg.github.com//index.json 65 | env: 66 | NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} 67 | ``` 68 | 69 | If you wish to update exisitng feeds in a `nuget.config` with a credential 70 | ```yml 71 | # Updating MY_ADO_FEED credentials 72 | - name: update nuget to add auth 73 | run: dotnet nuget update source MY_ADO_FEED -u NOTUSED -p "${{ secrets.ADO_TOKEN }}" --store-password-in-clear-text 74 | ``` 75 | 76 | Alternatively, consider adding a GitHub Packages hosted NuGet feed using the nuget CLI tooling. 77 | 78 | ```yml 79 | - name: add nuget auth 80 | run: dotnet nuget add source https://nuget.pkg.github.com//index.json -n "GitHub" -u USERNAME -p "${{ secrets.GH_PACKAGES_READ_ONLY }}" --store-password-in-clear-text 81 | ``` 82 | 83 | ### .NET Framework 84 | 85 | #### NuGet Authentication 86 | Since you are unable to use the [nuget/setup-nuget](https://github.com/nuget/setup-nuget#basic) action to pass package key/source to nuget exe for restore, instead fallback to the nuget sources commands. 87 | 88 | You can update an existing source (by name - these might exist in a `nuget.config`) to include credentials via the `nuget sources Update` command 89 | 90 | ```yml 91 | - name: NuGet Restore 92 | run: | 93 | nuget sources Update -Name "SourceName" -UserName "any" -Password "${{ secrets.NUGET_PACKAGES_PAT }}" 94 | nuget restore 95 | ``` 96 | 97 | Alternatively, add a new source with `nuget sources Add` 98 | 99 | ```yml 100 | - name: NuGet Restore 101 | run: | 102 | nuget sources Add -Name "SourceName" -Source "https://url.to.your/source" -UserName "any" -Password "${{ secrets.NUGET_PACKAGES_PAT }}" 103 | nuget restore 104 | ``` 105 | 106 | #### Manual Build Steps on Windows Runners 107 | NOTE: if you require windows OS to build, ensure you are using a windows runner. Otherwise it will attempt to use Mono [from the ubuntu image](https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#language-and-runtime). 108 | ``` 109 | Not using .NET Core because of incompatible project /home/runner/work/<...path...>.csproj 110 | Attempting to build using MSbuild 111 | 112 | Running mono ... 113 | ``` 114 | 115 | Example using `windows-latest`: 116 | - Note: The `-latest` runner images are the latest stable images that GitHub provides, and might not be the most recent version of the operating system available from the operating system vendor. 117 | ```yml 118 | jobs: 119 | analyze: 120 | name: Analyze 121 | runs-on: windows-latest 122 | ``` 123 | 124 | Next, consider specifying your own build steps from an existing CI workflow: 125 | - The [microsoft/setup-msbuild](https://github.com/microsoft/setup-msbuild) and [Nuget/setup-nuget](https://github.com/nuget/setup-nuget) actions are popular tools to assist in this configuration 126 | 127 | 128 | ```yml 129 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 130 | # If this step fails, then you should remove it and run the build manually (see below) 131 | #- name: Autobuild 132 | # uses: github/codeql-action/autobuild@v2 133 | 134 | # Discover where the MSBuild tool is and automatically add it to the PATH environment variable 135 | - name: Setup MSBuild 136 | uses: microsoft/setup-msbuild@v1 137 | 138 | # Download/installs a given version of NuGet.exe. Using this action will add nuget to your $PATH 139 | - name: Setup NuGet 140 | uses: NuGet/setup-nuget@v1 141 | 142 | # CI build with best practices from: https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#specifying-build-commands 143 | - name: .NET Build Steps 144 | run: | 145 | nuget restore .\FullDotNetWebApp.sln -DisableParallelProcessing 146 | msbuild .\FullDotNetWebApp.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform="Any CPU" /p:Configuration="Debug" /p:MvcBuildViews=true 147 | 148 | - name: Perform CodeQL Analysis 149 | uses: github/codeql-action/analyze@v2 150 | ``` 151 | 152 | ## "You are running out of disk space. The runner will stop working when the machine runs out of disk space." 153 | 154 | Running low on disk using the default Actions runner? 155 | 156 | GitHub also offers larger runners, which are available in larger disk configurations. For more information, see "[About larger runners.](https://docs.github.com/en/actions/using-github-hosted-runners/about-larger-runners#machine-specs-for-larger-runners)" 157 | - See also: [Vertical Scaling](#vertical-scaling---throw-hardware-at-the-software-problem) 158 | 159 | Alternatively, try a few of these workarounds for a potential quick fix: 160 | 161 | Specify the OS Disk's (C:\) temp directory to store the CodeQL database. There is a slower disk speed tradeoff compared to using the Data Disk (D:\) 162 | ```yml 163 | - name: Initialize CodeQL 164 | uses: github/codeql-action/init@v2 165 | with: 166 | db-location: ‘C:\windows\temp\codeql-database’ 167 | ``` 168 | 169 | Clean up large directories of [preinstalled software](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software) that you are not using on the windows runner OS Disk. Add this to your “CodeQL” workflow: 170 | ```yml 171 | - name: Clean up some disks 172 | run: | 173 | rd C:\Android\android-sdk 174 | docker system prune -af 175 | ``` 176 | 177 | ## MvcBuildViews target failures 178 | 179 | This can manifest through a variety of errors 180 | - `error ASPPARSE` 181 | - `[error]C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config(113,0): Error ASPCONFIG: Could not load type` 182 | - `Error ASPCONFIG: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.` 183 | - `(AfterBuildCompiler target) -> web.config(##): error ASPCONFIG: Could not load file or assembly '...' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)` 184 | - `(MvcBuildViews target) -> \web.config(##):error ASPCONFIG: Could not load file or assembly '...' or one of its dependencies. The system cannot find the file specified.` 185 | - `(MvcBuildViews target) -> ASPNETCOMPILER : error ASPCONFIG: Could not load file or assembly '...' or one of its dependencies. An attempt was made to load a program with an incorrect format. ` 186 | - `[16328] [ERROR] Couldn't read file: c:\\dummy.txt. Could not find file 'c:\dummy.txt'. at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)` 187 | 188 | The CodeQL compiler tracer used for `csharp` will auto inject the `/p:MvcBuildViews=true` flag. This pre-compilation of Views gives us the ability to extract the generated code from those files, leading to (potentially) better error reporting and location information if a query does flag an issue. The lack of view information passing through CodeQL to the compiler will lead to an incomplete database, where important dataflow sources/sinks/taint-steps are not included in the analysis. 189 | 190 | The recommendation here is to ensure that passing `/p:MvcBuildViews=true` to your CI build will compile even outside of CodeQL. Having a developer reivew this on their local machine is the best scenario. This can be on done on the specific web project by adding `true` to the local .csproj ( you will often find this defaulted to false). The MVC full framework steps are listed [here](https://learn.microsoft.com/en-us/archive/blogs/jimlamb/turn-on-compile-time-view-checking-for-asp-net-mvc-projects-in-tfs-build-2010). There are a few different reasons why this can cause your project to fail compilation. 191 | 192 | For `Error ASPCONFIG: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.`, change the locations of the obj and publish folder to not be located under the project folder of the website. If you have bin/obj files checked into source then this could be a likely culprit: https://gunnarpeipman.com/aspnet-mvc-allowdefinition-machinetoapplication/. You will find [various permutations of this recommendation](https://stackoverflow.com/questions/12778088/allowdefinition-machinetoapplication-error-setting-mvcbuildviewstrue-mvcbui) out there! 193 | 194 | For `Error ASPCONFIG: Could not load type 'X.Y.Z'`, ensure that you do not have excluded `.cshtml`, `.ashx`, `.ashx.cs`, `.aspx` or `.aspx.cs` files on disk in existing `Views` folders or the Root folder of your project! You can show hidden files in your solution view to hunt these down and remove from these folders. MvcBuildViews does not observe the file include from the csproj when compiling the application. You may have to hunt these down one by one, so adding `true` to your local .csproj may help you get this done on your local machine with Visual Studio. The `Error List` view in Visual Studio will have a column that shows you the actual File name you need to delete. 195 | 196 | To avoid building and scanning any view engine generated code in your project (potential false negatives in the scan as view engine code may not be evaluated for vulnerabilities) and to workaround the requirement that MvcBuildViews is automatically injected. 197 | 198 | - Utilize `build-mode: none` - this will not invoke the build targets. See [comparison](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). 199 | 200 | - If using `manual` or `autobuild` with GitHub Actions, plug in this step before `CodeQL-Init`: https://github.com/felickz/codeql-tracer-netframework?tab=readme-ov-file#codeql-tracer-netframework 201 | 202 | ```yml 203 | - name: Custom Lua Config Tracer for ASPNET MVC 204 | uses: felickz/codeql-tracer-netframework@main 205 | with: 206 | MvcBuildViews: false 207 | ``` 208 | 209 | - Otherwise, consider this [community contributed suggestion](https://github.com/github/codeql/issues/11890#issuecomment-1496970164) to modify the csproj to exclude building views: 210 | 211 | ```powershell 212 | # tweaking the csproj file with powershell during the build so that the hard-coded target condition "gets fooled", basically. Something like this: 213 | 214 | $filePath = (Join-Path $pwd '\SUBFOLDER\YOURCSPROJFILE.csproj') 215 | $csproj = [xml](Get-Content $filePath) 216 | $buildTargetNode = $csproj.Project.Target | ? name -eq "MvcBuildViews" 217 | $buildTargetNode.SetAttribute("Condition", "'`$(MvcBuildViews)'=='false'") 218 | $csproj.Save($filePath) 219 | ``` 220 | 221 | 222 | ## MSB4216 - error MSB4216: Could not run the "GenerateResource" task because MSBuild could not create or connect to a task host with runtime "CLR4" and architecture "x64" 223 | 224 | ``` 225 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(3049,5): error MSB4216: Could not run the “GenerateResource” task because MSBuild could not create or connect to a task host with runtime “CLR4” and architecture “x64". Please ensure that (1) the requested runtime and/or architecture are available on the machine, and (2) that the required executable “C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\amd64\MSBuild.exe” exists and can be run. 226 | ``` 227 | 228 | ``` 229 | c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\MSBuild\Current\Bin\Microsoft.Common.CurrentVersion.targets(3162,5): error MSB4216: Could not run the "GenerateResource" task because MSBuild could not create or connect to a task host with runtime "CLR4" and architecture "x64". Please ensure that (1) the requested runtime and/or architecture are available on the machine, and (2) that the required executable "c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\MSBuild\Current\Bin\amd64\MSBuild.exe" exists and can be run. 230 | ``` 231 | 232 | Recommendations: 233 | - If not using GitHub Actions - ensure the CodeQL process is given appropriate amount of RAM. This scenario has been reproduced when running out of memory. It is recommended to leave the operating system at least 1.5 GB + 2% of total memory for a Windows CI machine. (example: if the machine has 64 GB RAM total memory pass 59.7 GB `61132` to CodeQL - see CodeQL action [getSystemReservedMemoryMegaBytes](https://github.com/github/codeql-action/blob/43750fe4fc4f068f04f2215206e6f6a29c78c763/src/util.ts#L160)) 234 | - edit the `.csproj` that is failing and specify the `GenerateResourceMSBuildArchitecture` property as is done in a sample [here](https://github.com/XAMLMarkupExtensions/WPFLocalizeExtension/blob/cc4799a1336afba1adfd26212a778eac28a5f79c/src/WPFLocalizeExtension.csproj#L31-L32) as [explained in resgen discussion](https://github.com/dotnet/sdk/issues/346#issuecomment-257654120). 235 | 236 | ```xml 237 | 238 | CurrentArchitecture 239 | ``` 240 | 241 | 242 | # Speed up C# Analysis 243 | 244 | Start here: [CodeQL Docs - The build takes too long](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long). 245 | - notable to ensure you are using appropriately sized [hardware](https://gh.io/codeql-hardware) 246 | - are you scanning in a container or on a VM - [note these antipatterns](https://some-natalie.dev/blog/codeql-container-builds/#anti-patterns-to-avoid) 247 | 248 | 249 | ## Optimization - Removing Code From Scans 250 | Consider removing any code you do not wish to include in a security scan to both speed up and remove noise from this process. This is commonly employed for unit tests, demo code, and code that would not benefit from being scanned (ex: DacPacs). 251 | 252 | ### `build-mode: none` 253 | 254 | [Build-mode none](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes) has added support for CodeQL [configuration paths filters](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan) for this compiled language. This mode will recursively walk the filesystem to look for `.cs` files throughout the codebase to scan. We can be a bit more prescriptive in our configuration instructing the enginge to include/exclude by `paths` / `paths-ignore` globs: 255 | 256 | ```yaml 257 | - uses: github/codeql-action/init@v3 258 | with: 259 | languages: ${{ matrix.language }} 260 | build-mode: none 261 | config: | 262 | paths-ignore: 263 | - **/*.tests/** 264 | - '**/*.test.cs' 265 | - '**/*.tests.cs' 266 | - '**/examples/**' 267 | - '**/samples/**' 268 | - '**/demo/**' 269 | - '**/docs/**' 270 | ``` 271 | 272 | Tip: ensure credentials to your private registries listed in your `nuget.config` are available/injected so that `none` mode does not attempt to hit a registry that will fail for every dependency. 273 | 274 | Alternatively, you might consider breaking up code into smaller chunks to scan. For example, a monorepo with many microservices would be a prime candidate to scan only the dependent code together. CodeQL has natural boundaries at the network layer - if a direct method call is not invoked then there is reduced value in scanning the code together. Consider specifying services by folder to scan together (vs ignore): 275 | 276 | Microservice A config: 277 | 278 | ```yaml 279 | - uses: github/codeql-action/init@v3 280 | with: 281 | languages: ${{ matrix.language }} 282 | build-mode: none 283 | config: | 284 | paths: 285 | - '**/MicroserviceA/**' 286 | - '**/Framework/**' 287 | 288 | # If scanning more than one analysis per repo - ensure you upload results with a unique category 289 | - name: Perform CodeQL Analysis 290 | uses: github/codeql-action/analyze@v3 291 | with: 292 | category: "/language:${{matrix.language}}/app:MicroserviceA" 293 | ``` 294 | Microservice B config: 295 | 296 | ```yaml 297 | - uses: github/codeql-action/init@v3 298 | with: 299 | languages: ${{ matrix.language }} 300 | build-mode: none 301 | config: | 302 | paths: 303 | - '**/MicroserviceB/**' 304 | - '**/Framework/**' 305 | 306 | # If scanning more than one analysis per repo - ensure you upload results with a unique category 307 | - name: Perform CodeQL Analysis 308 | uses: github/codeql-action/analyze@v3 309 | with: 310 | category: "/language:${{matrix.language}}/app:MicroserviceB" 311 | ``` 312 | 313 | - Consider using this pre-built action to scan individual apps inside your monorepo: https://github.com/advanced-security/monorepo-code-scanning-action 314 | 315 | ### `build-mode: autobuild` or `build-mode: manual` 316 | 317 | CodeQL will extract and analyze any code that is passed through the compiler. With .NET builds, we can employ a few mechanisms to exclude code from being captured by the CodeQL Csharp tracer/extractor (e.g. you would want to run your unit test in another workflow ): 318 | - A [solution filter](https://docs.microsoft.com/en-us/visualstudio/msbuild/solution-filters?view=vs-2019) to only build required projects 319 | - An explicit [solution file that excludes projects](https://docs.microsoft.com/en-us/visualstudio/ide/how-to-exclude-projects-from-a-build?view=vs-2022) 320 | - example from the Open Source project: [Identity Server](https://github.com/DuendeSoftware/IdentityServer/) 321 | - have a [build.sh script wrapper](https://github.com/DuendeSoftware/IdentityServer/blob/main/build/Program.cs#L47) around their solution targets 322 | - distinct [IdentityServer.CodeQL.sln solution](https://github.com/DuendeSoftware/IdentityServer/blob/main/Duende.IdentityServer.CodeQL.sln) excluding unit tests 323 | - [CodeQL yaml passes in a flag to build script](https://github.com/DuendeSoftware/IdentityServer/blob/44d8d5964edfae20c4be424c0b3a2ed5050c6fe9/.github/workflows/codeql-analysis.yml#L57) to use the CodeQL solution 324 | - Build in release mode - exclude test projects from that [build configuration](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/ide/how-to-create-and-edit-configurations?view=vs-2015&redirectedfrom=MSDN#to-modify-a-solution-wide-build-configuration) 325 | 326 | ## Optimizations - CodeQL Engine 327 | - NOTE: [as of CodeQL 2.15.3 - this is now disabled by default.](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.15.3/#c) 328 | - CodeQL will (by default) pull in source code from your dependencies using CIL extraction to assist in mapping out your data flows. While this can improve the precision of the results, this can also lead to a large increase in database size. You might consider disabling this feature for a quick scan but running a cron based scan with the option enabled. 329 | 330 | ### GitHub Actions 331 | ```yml 332 | env: 333 | CODEQL_EXTRACTOR_CSHARP_OPTION_CIL: false 334 | ``` 335 | ### Azure DevOps Pipelines 336 | ```yml 337 | variables: 338 | # Disable CodeQL CSharp CIL mode 339 | CODEQL_EXTRACTOR_CSHARP_OPTION_CIL: false 340 | ``` 341 | 342 | 343 | 344 | ## Optimizations - CodeQL Queries 345 | - Tweak your current codeql yml workflow in a few ways: 346 | - remove security-extended queries, the default query pack `code-scanning` has a smaller set of optimized queries and will complete faster 347 | - As of [v2.10.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-20220908) - Query Suite Counts 348 | - code-scanning (default) - 49 queries 349 | - security-extended - 66 queries 350 | - security-and-quality - 171 queries 351 | 352 | - Micro Optimizations: Consider these as a potential quick hit to resolve a specific problem 353 | - Review workflow log timings to identify a any query that is taking a long time you can consider excluding it via a [CodeQL-config file](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file) 354 | - add a [query-filter](https://github.blog/changelog/2022-08-31-code-scanning-customize-your-codeql-analysis-using-query-filters/) to [exclude a specific query from analysis](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#excluding-specific-queries-from-analysis) 355 | 356 | - tweak the way CodeQL allocates memory to possibly make the workflow succeed in low memory conditions (for example, just below the runs-on field): [see sample](https://github.com/vulna-felickz/FullDotNetWebApp/pull/8/commits/263bbc8816a964d70f6267f6b6717f56b6bf6a1d) 357 | ```yml 358 | env: 359 | CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=0"]}}' 360 | ``` 361 | 362 | 363 | ## Optimization - Caching Dependencies with GitHub Actions 364 | 365 | Depending on the number of dependencies, it may be faster to restore packages for your project using the Actions dependency cache. Projects with many large dependencies should see a performance increase as it cuts down the time required for downloading. Projects with fewer dependencies may not see a significant performance increase and may even see a slight decrease due to how NuGet installs cached dependencies. The performance varies from project to project. See [this article](https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net#caching-dependencies) for configuring the NuGet dependency cache. 366 | 367 | ## Vertical Scaling - Throw hardware at the software problem. 368 | 369 | Large applications can be compute/memory/disk bound as the default hosted runners are small instances (2core/8GBram/14GB SSD). Any repository approaching 100k lines of csharp code will benefit from bigger hardware. See the [recommended hardware requirements for CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql) based on Codebase size. 370 | - On GitHub Actions, setup a [self-hosted CI action runner](https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization) in your infrastructure that has some more powerful specs that can handle your large application. 371 | - [Actions larger runners ](https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners) allows for up to a 64 core machine with 256GB RAM and 2040 GB of SSD storage 372 | - On Azure DevOps Pipelines, setup a [self-hosted agent](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents) on your own hardware or Virtual Machine Scale Set agents. 373 | 374 | ## Horizontal Scaling - Continue to decompose your solution. 375 | 376 | Making an investment in optimizing your build process can drastically speed up your developer experience, CI pipelines and start the process of "decomposing the monolith". Continued investment in large or legacy applications is important to keep your security posture and dependencies up to date. Review the suggestions for [using domain-driven design to modernize your monolithic application](https://learn.microsoft.com/en-us/azure/architecture/microservices/migrate-monolith). If you have already investigated removing projects from your solutions that you do not wish to expose to a security scan (test projects / demo code), then you have already begun this journey. 377 | 378 | A great use case would be to filter separate solutions by front end (ex: Web.sln) and back end code(ex: API.sln) that are separated by process/network boundaries. CodeQL can detect data flows through the code but once it reaches a process boundary the flow is stopped. This creates a natural separation point for both feature development teams and security scans based data flows. This would further enable a decrease in wall-clock scan time by using parallel per-solution scans using an [Actions matrix strategy](https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs) (such that each gets its own runtime and resources). It will be important to include your common framework code in each solution so that you get a successful compilation while you further analyze other ways to share code. 379 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages-go.md: -------------------------------------------------------------------------------- 1 | ## GoLang Private Modules 2 | 3 | Autobuild fails with error "Some packages could not be found" 4 | 5 | There are two options when it comes to private repositories: 6 | 7 | - Set-up the Go environment within the Actions workflow (not vendoring then) 8 | - Vendor the dependencies 9 | 10 | Setting up the Go environment can be done by adding a Actions step to update the [Go settings](https://go.dev/ref/mod#private-modules) pointing them to use a [GitHub Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with the corresponding access to the private repository. 11 | The example below shows how this can be done using a single step before the CodeQL Initize step - storing the GitHub PAT in an Actions Secret. 12 | 13 | **Example:** 14 | 15 | ```yml 16 | name: CodeQL 17 | 18 | env: 19 | GOLANG_TOKEN: ${{ secrets.GOLANG_GITHUB_TOKEN }} 20 | GOLANG_USER: octocat 21 | 22 | # ... 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | # ... 27 | steps: 28 | - name: Go Configuration 29 | run: git config --global url."https://${GOLANG_USER}:${GOLANG_TOKEN}@github.com".insteadOf "https://github.com" 30 | 31 | # ... Start scanning 32 | ``` 33 | 34 | Alternatively, pass the token into the CodeQL init action to allow it to be used for downstream git operations: 35 | 36 | ```yml 37 | - uses: github/codeql-action/init@v2 38 | with: 39 | external-repository-token: ${{ secrets.GOLANG_GITHUB_TOKEN }} 40 | ``` 41 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages-java.md: -------------------------------------------------------------------------------- 1 | 2 | # Private Package Registries 3 | 4 | ## The autobuild for java is failing when running Maven build command and a private package registry is needed - `status: 401 Unauthorized ` 5 | - ex: artifactory where our pom.xml dependencies are stored 6 | 7 | Assuming the given package registry instance is publicly accessible and needs credentials: 8 | 9 | Option 1 - Pass credentials via environment variable from Actions secrets and configure Maven settings to utilize those credentials (see sample [here](https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#yaml-example)) 10 | 11 | ex `workflow.yml` step: 12 | ```yml 13 | env: 14 | MAVEN_USERNAME: maven_username123 15 | MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }} 16 | ``` 17 | 18 | ex `settings.xml` 19 | ```xml 20 | 21 | maven 22 | ${env.MAVEN_USERNAME} 23 | ${env.MAVEN_CENTRAL_TOKEN} 24 | 25 | ``` 26 | 27 | Option 2 - Use the GitHub https://github.com/actions/setup-java#maven-options action to generate maven's settings.xml on the fly and pass the values to Apache Maven GPG Plugin as well as Apache Maven Toolchains. 28 | 29 | ```yml 30 | - name: Set up Apache Maven Central 31 | uses: actions/setup-java@v3 32 | with: 33 | distribution: 'temurin' 34 | java-version: '11' 35 | server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml 36 | server-username: MAVEN_USERNAME # env variable for username in deploy 37 | server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy 38 | ``` 39 | 40 | Option 3 - Use the [maven-settings-action](https://github.com/s4u/maven-settings-action) to dynamically create/overrite a `settings.xml` that contains the credentials for your specified package manager. 41 | 42 | ```yml 43 | - if: matrix.language == 'java' 44 | name: Configure maven credentials 45 | uses: s4u/maven-settings-action@v2.6.0 46 | with: 47 | servers: '[{"id": "central", "username": "${{ secrets.MAVEN_USERNAME }}", "password": "${{ secrets.MAVEN_CENTRAL_TOKEN }}"}]' 48 | ``` 49 | 50 | See also: [401 due to private package server configuration](compiled-languages.md#401-due-to-private-package-server-configuration) 51 | 52 | # Build Failures 53 | 54 | ## java.lang.IllegalArgumentException: Unsupported class file major version ## 55 | 56 | Ensure you are compiling your java application using CodeQL tracing on a supported version of the JDK as found here: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/ 57 | 58 | ## Fatal error compiling: error: invalid target release: \## 59 | 60 | Alternative error: 61 | ``` 62 | > error: invalid source release: 63 | ``` 64 | 65 | Resolution here is to specify your [desired java version via the setup-java action](https://github.com/actions/setup-java#supported-version-syntax) 66 | ```yml 67 | - uses: actions/setup-java@v3 68 | with: 69 | java-version: 17 70 | distribution: 'microsoft' 71 | ``` 72 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages-swift.md: -------------------------------------------------------------------------------- 1 | # Unable to automatically build your code - XCode version issue 2 | 3 | The GitHub runners for macos will have a default version of xcode in use. See ["included software"](https://github.com/actions/runner-images/tree/main?tab=readme-ov-file#available-images) for the appropriate macos label. 4 | 5 | To use any other version that is installed, you can run this command to explicitly set an Xcode version 6 | 7 | ```yml 8 | - name: Select Xcode version 9 | run: sudo xcode-select -s '/Applications/Xcode_15.3.app/Contents/Developer' 10 | ``` 11 | 12 | 13 | Sample output: 14 | ``` 15 | Command line invocation: 16 | [2024-04-25 18:01:23] [build-stdout] /Applications/Xcode_15.3.app/Contents/Developer/usr/bin/xcodebuild build -project /Users/runner/work/felickz-advanced-security-mobile-ios-test/felickz-advanced-security-mobile-ios-test/iGoat-Swift/iGoat-Swift.xcodeproj -target iGoat-Swift CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO 17 | ``` 18 | 19 | 20 | Alternatively, use a GitHub action to set this: https://github.com/marketplace/actions/setup-xcode-version 21 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/compiled-languages.md: -------------------------------------------------------------------------------- 1 | # Scanning a compiled language with CodeQL 2 | * NOTE: This guide will focus on GitHub Actions but the concepts can be applied to the CodeQL CLI on other CI platforms. 3 | 4 | ## Language Specific Guidance 5 | * [CSharp](compiled-languages-csharp.md) 6 | * [C++](compiled-languages-cpp.md) 7 | * [Java](compiled-languages-java.md) 8 | * [Go](compiled-languages-go.md) 9 | * [Swift](compiled-languages-swift.md) 10 | 11 | ## Autobuilder 12 | The autobuilder action (see [docs](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#about-autobuild-for-codeql) ) 13 | 14 | ## Build Customizations 15 | See common build configuration and specific compiler flags: [specifying build commands](https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#specifying-build-commands) 16 | 17 | ## Common Problems 18 | 19 | ### Autobuilder [error]We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. 20 | 21 | See [language specific guidance](#language-specific-guidance) for common resolutions to add custom build steps 22 | 23 | 24 | ### 401 due to private package server configuration 25 | 26 | Ensure network access from GitHub runners to your private registry is open 27 | - For IP Whitelisting, consider using [Larger Runners with Static IP](https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners#networking-for-larger-runners) 28 | - See Also: [Connecting Actions to a private network](https://docs.github.com/en/actions/using-github-hosted-runners/connecting-to-a-private-network) 29 | - Alternatively, consider a self-hosted actions runner that will execute within your existing private network. See ["Hosting your own runners"](https://docs.github.com/en/actions/hosting-your-own-runners) 30 | 31 | See [language specific guidance](#language-specific-guidance) for authentication options to popular package mangers 32 | 33 | ### Out of Memory 34 | ex: 35 | 36 | > 2022-06-01T20:08:13.6909315Z Exit code 137 and error was: 37 | 38 | >A fatal error occurred: RelationManager failed to produce already COMPUTED FlowSummaryImpl#b68d378d::Private::TConsSummaryComponentStack#fff/3@e38197wv 39 | 40 | 41 | These errors typically indicate that your project is too large for CodeQL to analyse with the amount of RAM found on the default GitHub runners. You can tweak the way we allocate memory to possibly make the workflow succeed by adding the following environment variable to your CodeQL job (for example, just below the runs-on field): 42 | 43 | 44 | We can tweak the way CodeQL allocates memory to possibly make the workflow succeed 45 | ```yml 46 | env: 47 | CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=0"]}}' 48 | ``` 49 | alternatively we can further define limits 50 | ```yml 51 | - name: Perform CodeQL Analysis 52 | uses: github/codeql-action/analyze@v2 53 | with: 54 | # Increase Values seen in logs: 55 | #2022-06-01T19:37:19.0200037Z CODEQL_RAM: 119741 56 | #2022-06-01T19:37:19.0200307Z CODEQL_THREADS: 32 57 | ram: 64000 58 | threads: 16 59 | ``` 60 | 61 | ### "CodeQL scanned 0 out of ... files in this job" or "No source code was seen during the build" or "failed with exit code 32" 62 | For compiled languages, CodeQL operates by tracing compiler commands for each file to construct a database representation of the codebase. However, some build engines utilize background daemons to compile applications, and these delegated compiler calls to a daemon may go undetected by the CodeQL tracer, resulting in little or no code being detected. 63 | 64 | Additionally, CodeQL will only trace and scan files that pass through a compiler within the build systems. Files pulled from a cache, rather than processed by the build systems, won't be included in the CodeQL database. To ensure a comprehensive representation of the codebase, it's essential to disable build caching and shared compilation. Refer to your build system's recommended flags, as described here: [specifying build commands](https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#specifying-build-commands). 65 | 66 | Other helpful articles: 67 | - [Troubleshooting: Error: "No source code was seen during the build"](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build) walks through the various reasons why this might occur. 68 | - [Build Customizations](#build-customizations) provides guidance for supported build steps per language / build engine. 69 | - [CodeQL Exit Codes - 32](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes#32) 70 | 71 | 72 | ## Reviewing Results 73 | 74 | Helpful Articles to understand how to review, troubleshoot, and debug logs: 75 | 76 | - [Viewing Code Scanning Logs](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs) 77 | - [Workflow verbose logging in debug mode](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#creating-codeql-debugging-artifacts) 78 | - [Adding artifacts on every CodeQL Run](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#creating-codeql-debugging-artifacts-using-a-workflow-flag) 79 | - [Exit Codes](https://codeql.github.com/docs/codeql-cli/exit-codes/) 80 | 81 | 82 | ## Optimizations 83 | - CodeQL Docs - [The build takes too long](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow) 84 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/interpreted-languages-javascript.md: -------------------------------------------------------------------------------- 1 | ## NPM Private Modules 2 | The below example shows how you can pull dependencies from private npm registries. 3 | 4 | ### GitHub Actions Example 5 | 6 | ```yml 7 | name: CodeQL 8 | env: 9 | NPM_REGISTRY_URL: '${{ secrets.NPM_REGISTRY_URL }}' 10 | NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' 11 | NODE_VERSION: 16.x 12 | 13 | jobs: 14 | build: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: checks out code 18 | uses: actions/checkout@v2 19 | - name: Use Node.js 20 | uses: actions/setup-node@v2 21 | with: 22 | always-auth: true 23 | node-version: '${{env.NODE_VERSION}}' 24 | registry-url: '${{env.NPM_REGISTRY_URL}}' 25 | - name: Install dependencies 26 | run: npm ci --ignore-scripts 27 | env: 28 | NODE_AUTH_TOKEN: '${{env.NPM_TOKEN}}' 29 | 30 | 31 | # ... Start scanning 32 | ``` 33 | 34 | ## NodeJS 35 | 36 | A minimum version of Node.js or higher must be installed and available on the PATH as node. See [additional software requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/#additional-software-requirements) 37 | 38 | 39 | ### Could not start Node.js. It is required for TypeScript extraction. 40 | 41 | ``` 42 | 2025-03-21T15:17:16.5636388Z [2025-03-21 11:17:16] [build-stderr] Could not start Node.js. It is required for TypeScript extraction. 43 | 2025-03-21T15:17:16.5643217Z [2025-03-21 11:17:16] [build-stderr] Please install Node.js and ensure 'node' is on the PATH. 44 | 2025-03-21T15:17:16.5645558Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.ts.extractor.TypeScriptParser.startNodeAndGetVersion(TypeScriptParser.java:256) 45 | 2025-03-21T15:17:16.5676028Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.ts.extractor.TypeScriptParser.verifyNodeInstallation(TypeScriptParser.java:217) 46 | 2025-03-21T15:17:16.5678667Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.ts.extractor.TypeScriptParser.verifyInstallation(TypeScriptParser.java:178) 47 | 2025-03-21T15:17:16.5681439Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.js.extractor.AutoBuild.verifyTypeScriptInstallation(AutoBuild.java:1190) 48 | 2025-03-21T15:17:16.5683831Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.js.extractor.AutoBuild.extractTypeScript(AutoBuild.java:1033) 49 | 2025-03-21T15:17:16.5686297Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.js.extractor.AutoBuild.extractSource(AutoBuild.java:758) 50 | 2025-03-21T15:17:16.5688572Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.js.extractor.AutoBuild.run(AutoBuild.java:464) 51 | 2025-03-21T15:17:16.5690809Z [2025-03-21 11:17:16] [build-stderr] at com.semmle.js.extractor.AutoBuild.main(AutoBuild.java:1370) 52 | ``` 53 | 54 | Example to dynamically install node using the [actions/setup-node](https://github.com/actions/setup-node/) action: 55 | 56 | ```yaml 57 | - uses: actions/checkout@v4 58 | - uses: actions/setup-node@v4 59 | ... scan with codeql 60 | ``` 61 | -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/interpreted-languages-python.md: -------------------------------------------------------------------------------- 1 | # Build Failures 2 | 3 | ## ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. 4 | 5 | Error/Warning in the workflow logs like: 6 | 7 | ```yml 8 | ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not: 9 | importlib-metadata from https://files.pythonhosted.org/packages/b5/64/ef29a63cf08f047bb7fb22ab0f1f774b87eed0bb46d067a5a524798a4af8/importlib_metadata-5.0.0-py3-none-any.whl (from alembic==1.8.1->-r requirements.txt (line ###)) 10 | package installation with `pip install -r requirements.txt` failed, see error above 11 | ##[endgroup] 12 | ##[warning]An error occurred while trying to automatically install Python dependencies: Error: The process '/usr/bin/python3' failed with exit code 1 13 | Please make sure any necessary dependencies are installed before calling the codeql-action/analyze step, and add a 'setup-python-dependencies: false' argument to this step to disable our automatic dependency installation and avoid this warning. 14 | ``` 15 | ![image](https://user-images.githubusercontent.com/1760475/198150549-61326671-e7cc-4cbc-b640-4858fe294f93.png) 16 | 17 | 18 | This is likely due to a python/pypi/pip version mismatch. Ensure you configure your proper version required to build via [actions/setup-python](https://github.com/actions/setup-python/blob/main/docs/advanced-usage.md#using-the-python-version-input) 19 | - see [stackoverflow](https://stackoverflow.com/a/72980455/343347) 20 | 21 | To resolve, specify your required versions before the codeql-action/init step: 22 | ```yml 23 | #Set python version 24 | - uses: actions/setup-python@v4 25 | with: 26 | python-version: '3.9' 27 | cache: 'pip' # caching pip dependencies 28 | #Downgrade to specific pip version 29 | -run: python -m pip install pip==22.0.4 30 | ``` 31 | 32 | Alternatively, you can disable the auto-install dependency functionality. You will need to configure the build requirements/commands from your existing CI. Specify that codeql should disable the python automatic package restoration and run the CI tooling / commands directly before the analysis step as shown [here](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#analyzing-python-dependencies). 33 | ```yml 34 | # Override the default behavior so that the action doesn't attempt 35 | # to auto-install Python dependencies 36 | setup-python-dependencies: false 37 | ``` -------------------------------------------------------------------------------- /troubleshooting/codeql-builds/interpreted-languages.md: -------------------------------------------------------------------------------- 1 | # Scanning an interpreted language with CodeQL 2 | * NOTE: This guide will focus on GitHub Actions but the concepts can be applied to the CodeQL CLI on other CI platforms. 3 | 4 | ## Language Specific Guidance 5 | * [Python](interpreted-languages-python.md) 6 | * [JavaScript](interpreted-languages-javascript.md) 7 | 8 | 9 | # Troubleshooting 10 | 11 | ## [ERROR] Spawned process exited abnormally (code 1; tried to run: [/opt/hostedtoolcache/CodeQL//x64/codeql/javascript/tools/autobuild.sh]) 12 | 13 | This is the higher level error handler for the autobuilder (in this case javascript) 14 | 15 | ``` 16 | [ERROR] Spawned process exited abnormally (code 1; tried to run: [/opt/hostedtoolcache/CodeQL/0.0.0-20220401/x64/codeql/javascript/tools/autobuild.sh]) 17 | A fatal error occurred: Exit status 1 from command: [/opt/hostedtoolcache/CodeQL/0.0.0-20220401/x64/codeql/javascript/tools/autobuild.sh] 18 | Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20220401/x64/codeql/codeql' failed with exit code 2 19 | Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20220401/x64/codeql/codeql' failed with exit code 2 20 | at toolrunnerErrorCatcher (/home/runner/work/_actions/github/codeql-action/v2/lib/toolrunner-error-catcher.js:86:19) 21 | at processTicksAndRejections (node:internal/process/task_queues:96:5) 22 | at async Object.extractScannedLanguage (/home/runner/work/_actions/github/codeql-action/v2/lib/codeql.js:519:13) 23 | at async createdDBForScannedLanguages (/home/runner/work/_actions/github/codeql-action/v2/lib/analyze.js:79:13) 24 | at async finalizeDatabaseCreation (/home/runner/work/_actions/github/codeql-action/v2/lib/analyze.js:96:5) 25 | at async runFinalize (/home/runner/work/_actions/github/codeql-action/v2/lib/analyze.js:259:5) 26 | at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/analyze-action.js:78:9) 27 | at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/analyze-action.js:212:9) 28 | ``` 29 | 30 | In your logs, look for an exception with the output `[build-stderr]` 31 | 32 | ## [build-stderr] java.lang.OutOfMemoryError: Java heap space 33 | ``` 34 | [build-stderr] Exception while extracting /home/runner/work/path/to/file/myfile.js. 35 | [build-stderr] java.lang.OutOfMemoryError: Java heap space 36 | [build-stderr] at java.base/java.util.HashMap.resize(Unknown Source) 37 | [build-stderr] at java.base/java.util.HashMap.putVal(Unknown Source) 38 | [build-stderr] at java.base/java.util.HashMap.put(Unknown Source) 39 | [build-stderr] at java.base/java.util.HashSet.add(Unknown Source) 40 | [build-stderr] at com.semmle.js.extractor.LocationManager.emitLocationsDefault(LocationManager.java:156) 41 | [build-stderr] at com.semmle.js.extractor.LocationManager.emitFileLocation(LocationManager.java:146) 42 | [build-stderr] at com.semmle.js.extractor.LocationManager.emitSnippetLocation(LocationManager.java:141) 43 | [build-stderr] at com.semmle.js.extractor.LocationManager.emitNodeLocation(LocationManager.java:126) 44 | [build-stderr] at com.semmle.js.extractor.LexicalExtractor.extractTokens(LexicalExtractor.java:166) 45 | [build-stderr] at com.semmle.js.extractor.JSExtractor.extract(JSExtractor.java:113) 46 | [build-stderr] at com.semmle.js.extractor.JSExtractor.extract(JSExtractor.java:59) 47 | [build-stderr] at com.semmle.js.extractor.ScriptExtractor.extract(ScriptExtractor.java:85) 48 | [build-stderr] at com.semmle.js.extractor.FileExtractor.extractContents(FileExtractor.java:545) 49 | [build-stderr] at com.semmle.js.extractor.FileExtractor.extract(FileExtractor.java:452) 50 | [build-stderr] at com.semmle.js.extractor.AutoBuild.doExtract(AutoBuild.java:1122) 51 | [build-stderr] at com.semmle.js.extractor.AutoBuild.lambda$extract$8(AutoBuild.java:1106) 52 | [build-stderr] at com.semmle.js.extractor.AutoBuild$$Lambda$29/0x00000008000d4950.run(Unknown Source) 53 | [build-stderr] at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(Unknown Source) 54 | [build-stderr] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 55 | [build-stderr] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 56 | [build-stderr] at java.base/java.lang.Thread.run(Unknown Source) 57 | ``` 58 | 59 | It is best to use the [paths-ignore](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#specifying-directories-to-scan) feature to exclude the file opencv.js. It would look something like this: 60 | 61 | ```yml 62 | paths-ignore: 63 | - '**/myfile.js' 64 | ``` 65 | 66 | In general, when a repository contains a huge JS file that is output of a compiler/bundler process, it is best to exclude it. As an example: opencv.js is from the OpenCV project, it which case it is the result of translating some C++ code to JS using Emscripten. This source code is unreadable and it wouldn't be helpful to get code scanning alerts in such files anyway. 67 | 68 | References: 69 | - https://github.com/github/codeql/issues/9056#issuecomment-1120793848 70 | -------------------------------------------------------------------------------- /troubleshooting/dependabot/failed-codeql-analysis.md: -------------------------------------------------------------------------------- 1 | ### What is the problem 2 | A recent change to dependabot means that workflows triggered by dependabot run with read-only permissions as if they were run from a fork. Unfortunately this has impacted code scanning workflows that run on push because uploading code scanning results requires write access. 3 | 4 | Code scanning workflows that run on the pull_request event are not affected because of an existing features which gives the token provided by actions the ability to upload code scanning results for that pull request and only that pull request. We can't currently and don't plan to do a similarly targeted exception for dependabot pushes, and giving it the ability to upload code scanning results for any ref would be insecure. 5 | 6 | Unfortunately pretty much the only thing we can do is to change the error message to be more clear what's going on. In #435 the error message will change to explain the problem and link to some documentation. That change will go live next week. Unfortunately an error message like that is not enough space to explain it fully, so we will also publish a more detailed explanation in the documentation and link to that once it's available. 7 | 8 | ### Only use the pull_request event for dependabot PRs 9 | The good news is that it's easy to work around the above restrictions. Instead of running code scanning on pushes to every branch, you'll be able to get the same code scanning coverage by only running on pushes to a smaller set of branches (e.g. main, develop, release branches, ...) and then also running on the pull_request event for PRs targeting these branches. 10 | 11 | See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for how we recommend setting up code scanning and see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags for more info on the branches/branches-ignore syntax. The default workflow has changed over time so if you set up code scanning a while ago your workflow may be different from what's in those docs. 12 | 13 | The simplest set of workflow triggers which will still likely work for a majority of projects might look like: 14 | 15 | ``` 16 | on: 17 | push: 18 | branches: 19 | - main 20 | pull_request: 21 | branches: 22 | - main 23 | ``` 24 | An alternative approach that runs on all pushes except dependabot would be: 25 | 26 | ``` 27 | on: 28 | push: 29 | branches-ignore: 30 | - 'dependabot/**' 31 | pull_request: 32 | ``` 33 | 34 | ### Analysis still failing on the default branch 35 | You may still run into cases where code scanning fails on commits made by dependabot even once the commit has been merged into the default branch. Quite a few of the examples earlier in this issue are this case. The reason for this is that in some cases the commit that gets merged into the default branch is solely authored by dependabot and thus the workflow runs with read-only permissions. 36 | 37 | From what we can tell the only case where this can happen is if the dependabot PR is merged by using the @dependabot squash and merge syntax. Our advice would be to avoid using this syntax if at all possible. Thankfully the new feature to [automatically merge a pull request](https://docs.github.com/en/github/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) may be able to help here and fulfill the same functionality. 38 | 39 | ### Retrying analysis 40 | Another thing to note is that performing certain actions on a workflow run changes its state from having dependabot as the actor that triggered the workflow to being you triggering the workflow. This includes things like merging main into the PR, or retrying the workflow run. When the workflow run retries it'll run with write permissions and code scanning will succeed. 41 | 42 | Be aware that you may be running untrusted code, so check what change dependabot has made to avoid security breaches from compromised dependencies. If you are happy though then retrying the failed workflow run should make it succeed. 43 | -------------------------------------------------------------------------------- /troubleshooting/sarif-upload/troubleshooting.md: -------------------------------------------------------------------------------- 1 | ## SARIF Upload Errors 2 | 3 | For the latest information about troubleshooting SARIF errors, see "[Troubleshooting SARIF uploads](https://docs.github.com/en/code-security/code-scanning/troubleshooting-sarif-uploads)." If anything is missing, or you can see anything that can be improved, open an issue in [`docs-content`](https://github.com/github/docs-content/issues/new?template=improve-existing-docs.yml) with the details. 4 | 5 | * Test environment - GHES 3.2.1 + CodeQL CLI 2.7.2 6 | 7 | :gift: wrong ref: 8 | ``` 9 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=ref/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancake --github-auth-stdin=ghp_somethingsomethingsomething 10 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/jubilant-octo-pancake/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 422 Unprocessable Entity:::{"message":"Invalid request.\n\nref/heads/main does not match /^refs\\/(heads|pull|tags)\\/.*$/.","documentation_url":"https://docs.github.com/enterprise/3.2/rest/reference/code-scanning#upload-a-sarif-file"} 11 | ``` 12 | 13 | :santa: bad credentials: 14 | ``` 15 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancake --github-auth-stdin=ghp_somethingsomethingsomethin 16 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/jubilant-octo-pancake/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 401 Unauthorized:::{"message":"Bad credentials","documentation_url":"https://docs.github.com/enterprise/3.2/rest"} 17 | ``` 18 | 19 | :gift: missing token: 20 | ``` 21 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancake 22 | A fatal error occurred: A GitHub token is required to upload SARIF results but none was specified. 23 | (eventual cause: MissingTokenException "An operation was attempted that requires a GitHub token but one could not be fou..." 24 | ``` 25 | 26 | :santa: misspelled repo name: 27 | ``` 28 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancak --github-auth-stdin=ghp_somethingsomethingsomething 29 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/jubilant-octo-pancak/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 404 Not Found:::{"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.2/rest/reference/code-scanning#upload-a-sarif-file"} 30 | ``` 31 | 32 | :gift: bad token (no security event scope): 33 | ``` 34 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancake --github-auth-stdin=ghp_falalalala 35 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/jubilant-octo-pancake/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 403 Forbidden:::{"message":"You are not authorized to write security events.","documentation_url":"https://docs.github.com/enterprise/3.2/rest/reference/code-scanning#upload-a-sarif-file"} 36 | ``` 37 | 38 | :santa: GHAS not enabled but have a valid token: 39 | ``` 40 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/jubilant-octo-pancake --github-auth-stdin=ghp_somethingsomethingsomething 41 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/jubilant-octo-pancake/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 403 Forbidden:::{"message":"Advanced Security must be enabled for this repository to use code scanning.","documentation_url":"https://docs.github.com/enterprise/3.2/rest/reference/code-scanning#upload-a-sarif-file"} 42 | ``` 43 | 44 | :gift: posting SARIF to the wrong repo (where GHAS isn’t enabled): 45 | ``` 46 | codeql github upload-results --github-url=https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/ --sarif=results.sarif --ref=refs/heads/main --commit=5f538e43c27e91cd3e31c5a12b136b69d61a744f --repository=santa-foss/fluffy-potato --github-auth-stdin=ghp_somethingsomethingsomething 47 | A fatal error occurred: Error uploading SARIF to 'https://cmboling-0bd0debab4ff16db0.ghe-test.ninja/api/v3/repos/santa-foss/fluffy-potato/code-scanning/sarifs' from '/Users/cmboling/Desktop/jubilant-octo-pancake/results.sarif'. REASON: HTTP/1.1 403 Forbidden:::{"message":"Advanced Security must be enabled for this repository to use code scanning.","documentation_url":"https://docs.github.com/enterprise/3.2/rest/reference/code-scanning#upload-a-sarif-file"} 48 | ``` 49 | 50 | :gift: posting SARIF when the SSL certificate is not trusted: 51 | ```dotnetcli 52 | curl \ 53 | -X POST \ 54 | -k \ 55 | -H "Accept: application/vnd.github+json" \ 56 | -H "Authorization: Bearer "\ 57 | -H "X-GitHub-Api-Version: 2022-11-28" \ 58 | https://api.github.com/repos/OWNER/REPO/code-scanning/sarifs \ 59 | -d '{"commit_sha":"","ref":"refs/heads/master","sarif":""}' 60 | ``` 61 | More information on the API can be found [here](https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28#upload-an-analysis-as-sarif-data) 62 | 63 | ### Test environments 64 | - GHES 3.2.1 + CodeQL CLI 2.7.2 65 | ======= 66 | ## SARIF Parsing Errors 67 | 68 | ### Code Scanning could not process the submitted SARIF file: rejecting SARIF, as there are more runs than allowed (123 > 15) 69 | The GitHub api for accepting SARIF uploads has a limiter to prevent that number from being greater than specified (>15) for each upload. 70 | 71 | See limits for various thresholds on the [REST API documentation](https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28#upload-an-analysis-as-sarif-data) 72 | * Runs per file 73 | * Results per run 74 | * Rules per run 75 | * Tool extensions per run 76 | * Thread Flow Locations per result 77 | * Location per result 78 | * Tags per rule 79 | 80 | ### A fatal error occurred: SARIF file is too large. The GitHub code scanning API accepts a max file size of 2000MB. This file is xxxxMB. File: "xyz.sarif" 81 | - aleternatively - `failed decompressing file from the path: "upload /xyz.sarif.gz": maximum SARIF size exceeded` 82 | 83 | First, review recommendedations per language to reduce the amount of code being scanned (e.g. removing test or demo code from the scan in an attempt to remove unwanted detections from SARIF). A detailed analysis of the SARIF file may indicate a massive number of a single rule, in this case [excluding a specific rule from the analysis](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#excluding-specific-queries-from-analysis) would be the best solution. Alternatively, use a tool like [filter-sarif action](https://github.com/advanced-security/filter-sarif) to rewrite the SARIF file to exclude specific detections via an exclusion pattern. 84 | 85 | If there are many deep code paths highlighted in the SARIF, use `--max-path=0` (or 1) passed into the analyze step or `database analyze` cli command to get rid of the dataflow paths and reduce the SARIF size that way (NOTE this will impact all rules). 86 | 87 | ```yml 88 | - name: Perform CodeQL Analysis 89 | uses: github/codeql-action/analyze@v2 90 | env: 91 | CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths", 1]}}' 92 | ``` 93 | 94 | ## Tools to rewrite SARIF 95 | - `jq` 96 | - [Microsoft's SARIF tool](https://github.com/microsoft/sarif-sdk/blob/main/docs/multitool-usage.md) 97 | - [Dr. House's SARIF CLI](https://github.com/hohn/sarif-cli) 98 | - [advanced-security/filter-sarif action](https://github.com/advanced-security/filter-sarif) 99 | --------------------------------------------------------------------------------