Skip to content

[FEATURE]: add codeQL as SAST #243

Open
Open
[FEATURE]: add codeQL as SAST#243
Labels
help wantedExtra attention is needed
@haochengxia

Description

@haochengxia
haochengxia
opened on Jun 27, 2025

Integrate GitHub CodeQL into our CI pipeline for automated Static Application Security Testing (SAST)

Feature Category: Build system improvement

Use Cases:

  • Early Detection: Developers get immediate security feedback.
  • Prevent Merges: Stop vulnerable code from reaching main branches.
  • Continuous Monitoring: Track existing and prevent new vulnerabilities.
  • Compliance: Aid in audits with scan records.

Alternatives Considered: SonarQube, Snyk, Checkmarx. CodeQL's deep GitHub integration, cost (free for public repos), and customizability make it preferable.

Implementation:

  • Create .github/workflows/codeql-analysis.yml.
  • Configure to run on push and pull_request for relevant branches.
  • Specify programming languages.
  • Ensure alerts appear in GitHub Security and PR checks.
  • Consider path exclusions (e.g., tests).
  • Commit package-lock.json for npm command pinning.

Additional Context: CodeQL uses semantic analysis for accurate vulnerability detection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions