CodeQL
CodeQL is a Static Application Security Testing (SAST) tool which checks for vulnerability signatures in a repository’s codebase. It is configured as a reusable workflow and should be included as a job in the CI pipeline of all GOV.UK repositories. A reusable workflow design was selected so that enhancements to the scanning process can be managed centrally.
Add CodeQL to a project
To use the CodeQL reusable workflow, add the following job to the jobs section of your CI workflow:
codeql-sast:
name: CodeQL SAST scan
uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main
permissions:
security-events: write
Where to find Security Alerts
To find the security alerts for a repo, first go to the Security tab of the repo and then the Code Scanning option under the Vulnerability Alerts in the sub menu. This is where all alerts can be found.
Additionally, when a PR is created, CodeQL scans the diff to identify vulnerabilities in the new code. These PR specific alerts can be found on the Checks tab of the PR: select “Code scanning results” and then “CodeQL”.
Dealing with Security Alerts
Currently, CodeQL is configured to only identify vulnerabilities of a high severity and high precision. Additionally, it will not fail the test when vulnerabilities are found: it will only create an alert and move on. This is to reduce the number of false positives and avoid wasting developer time. Over time, we intend to tune the dial to make CodeQL more strict.
CodeQL will provide a recommendation on how to resolve a vulnerability along with references for additional research.
Alerts can be resolved either by fixing the identified vulnerability or by dismissing the alert as a false positive. More details on this can be found in the CodeQL documentation. If you do decide to ignore a warning, you must include a note outlining why it is a false positive and not a security vulnerability.
Troubleshooting
CodeQL scans may fail because they cannot find source code for a specified language, despite detecting other languages:
Extracting javascript
Extracting ruby
Finalizing javascript
Finalizing ruby
/opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby
CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build .
Error: Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby". Exit code was 32 and last log line was: CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details.
There currently is no solution to this problem. Removing all code in the problematic language might resolve the issue, but this is not a viable solution for most projects.