Enable code scanning to secure your source code

Ensuring the security of application source code is a critical step in modern software development. In this GitHub Skills course, you will learn to use GitHub code scanning to identify, resolve, and prevent insecure coding patterns.

Step 1: Enable CodeQL

👋 Hello! Welcome to the GitHub Skills course: Enable code scanning!

Let's get started!

In this first step, we'll be learning more about CodeQL and how to use it to secure your source code.

What is GitHub code scanning: Code scanning is a capability that allows development teams to integrate security testing tools into the software development process. This is done using GitHub Actions. With code scanning, you can integrate many different types of tools including SAST, container, and infrastructure as code security tools.

What is CodeQL: CodeQL is a static analysis testing tool that helps you identify security weaknesses such as SQL injection, cross-site scripting, and code injection issues.

⌨️ Activity: Enable code scanning with CodeQL

First, we will enable code scanning with CodeQL in our repository.

  1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
  2. Navigate the to Settings tab at the top of your newly created repository.
  3. Under the Security section on the left side, select Code security and analysis.
  4. Scroll down to the section titled Code scanning. For the purpose of this course, we will focus on CodeQL analysis.
  5. Click on the Set up dropdown menu and choose Default.

enable-code-scanning-default.png

Let's take a look at the configuration options in the modal:

  • Languages to analyze: These are the languages that will be scanned by CodeQL. In this case, we will be scanning in Python.
  • Query suites: CodeQL queries are packaged in bundles called "suites". This section allows you to choose which query suite to use. We'll leave this set as Default for this exercise. For more information, see "About CodeQL queries."
  • Events: This section tells CodeQL when to scan. In this case, it's set to scan on any pull request to the main branch.

codeql-default-configuration-box.png

  1. Click Enable CodeQL
  2. Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to the next step.

Get help: Post in our discussion boardReview the GitHub status page

© 2023 GitHub • Code of ConductMIT License