code-scanning

Subscribe to all “code-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

We have released improvements to the code scanning API:

  • We've added the fixed_at timestamp to alerts. This is the first time that the alert was not detected in an analysis. You can use this data to better understand when code scanning alerts are being fixed.
  • We've enabled sorting of alert results using sort and direction on either created, updated or number. Use this to see the alerts that are most important to you first. For more information, see List code scanning alerts for a repository.
  • We've added a Last-Modified header to the alerts and alert endpoint response. For more information, see Last-Modified in the Mozilla documentation.
  • We've added relatedLocations to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the SARIF spec and read about getting a code scanning analysis for a repository.
  • We've added help and tags data to the webhook response alert rule object. For more information, see Code scanning alert webhooks events and payloads.
  • PATs with the public_repo scope now have write access for code scanning endpoints on public repos, if the user has permission. This is a bug fix and is now inline with the documentation.

For more information, see the Code scanning in the API reference.

See more

We’ve improved the depth of CodeQL's Python analysis by adding support for more libraries and frameworks, including:

  • FastAPI
  • aiomysql
  • aiopg
  • asyncpg
  • Django REST framework
  • The os.path module
  • Flask-Admin
  • toml
  • ruamel.yaml
  • SQLAlchemy

As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.

We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. These improvements are now available to users of CodeQL code scanning on GitHub.com, and will also be available in the next release of GitHub Enterprise Server (3.4).

See more

The latest release of the CodeQL CLI supports including markdown-rendered query help in SARIF files so that the help text can be viewed in the code scanning UI. This functionality is now available for code scanning on GitHub.com and will be available in GitHub Enterprise Server 3.4.

The CodeQL query help text is displayed in the code scanning UI whenever the query generates an alert. The query help explains the problem in more detail, and shows examples of vulnerable and fixed code. Until now, code scanning only displayed the query help for alerts generated by the default CodeQL queries. With the release of CodeQL CLI 2.7.1, the query help for your own custom queries will be uploaded to GitHub and displayed in code scanning.

Example of custom CodeQL query help

Writing query help for custom CodeQL queries

When you write your own queries, we recommend that you write a query help file so that other users can properly understand the impact an alert has on the security of their code. For custom query help in your repository there are no restrictions on the content, but we recommend that you follow the Query help style guide to make the help text as useful as possible.

You should write query help for custom queries in your repository in a markdown file alongside the corresponding query. CodeQL code scanning looks for query help files written in markdown that share the same name as the corresponding query file. For example, if your query file is MyCustomQuery.ql, the query help file should be named MyCustomQuery.md.

For users of 3rd party CI/CD systems

When using CodeQL with GitHub Actions, the query help will automatically be imported from markdown files that are stored alongside the corresponding custom queries. The query help is inserted into SARIF files generated during the analysis step and made available in the code scanning UI.

If you use a different CI/CD system, you have to add the --sarif-add-query-help flag to the codeql database analyze command to include the query help in your SARIF results files. For more information, see Analyzing databases with the CodeQL CLI.

See more

It's now easier to debug problems with CodeQL code scanning: an optional flag in the Actions workflow file will trigger diagnostic data to be uploaded as an artifact to your Actions run. To do this, you can modify the init step of your Actions workflow:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v1
  with:
    debug: true

The data will be uploaded as an Actions artifact named debug-artifacts, attached to the workflow run. Such artifacts contain CodeQL logs, CodeQL databases, and the SARIF files that were produced.

These artifacts will help you when you're debugging problems with CodeQL code scanning. When contacting GitHub support, they might ask for this data too.

Learn more about Troubleshooting the CodeQL workflow.

See more

We’ve improved the depth of CodeQL's analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models. JavaScript analysis now supports most common templating languages, and Java now covers more than three times the endpoints of previous CodeQL versions. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.

We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. These improvements are now available to users of CodeQL code scanning on GitHub.com, and will also be available in the next release of GitHub Enterprise Server (3.3).

Java

We've improved coverage for the following libraries:

JavaScript

We've added support for the following templating languages:

Learn more about CodeQL and code scanning.

See more

Developers and security researchers using the CodeQL CLI and VS Code extension can now build databases and analyze code on machines powered by Apple Silicon (e.g. Apple M1).

In order to use the CodeQL CLI and/or the VS Code extension on Apple Silicon, please make sure to install the Xcode command-line developer tools and Rosetta 2.

For detailed instructions on how to set up the CLI on supported platforms, please refer to the CodeQL CLI guide.

Learn more about CodeQL and code scanning.

See more

Code scanning alerts now integrate with GitHub Issues task lists to make it easy to prioritize and track your alerts with all your development work.

You can use the task list feature in markdown to track a code scanning alert in an issue. When you add a code scanning alert to a task list in an issue, a "tracked in" pill will show on the corresponding alert page. The code scanning alerts page also shows which alerts are tracked in issues.

You can also create a new issue from a code scanning alert, which automatically adds the code scanning alert to a task list in the new issue.
Demo: tracking code scanning alerts in task lists

This feature has now shipped in beta for all users on GitHub.com.

Learn more about tracking code scanning alerts in Issues using task lists.

See more

Ruby is the 10th most popular language within the open source community. To help more open source maintainers and organizations find potential vulnerabilities in their code, we’ve added Ruby support (beta) to the CodeQL engine that powers GitHub code scanning.

Our CodeQL analysis identifies security issues in your code, along with the flow of data to the vulnerable location. To help secure services and tools created with Ruby, the CodeQL beta release spots many of the most common security issues:

We’ve been putting this beta through its paces by analyzing some of the world's largest Ruby codebases at GitHub and select customers. The feedback has been overwhelmingly positive, and in many cases CodeQL identified real vulnerabilities, all while keeping the number of false-positives at a minimum.

CodeQL for Ruby is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code starting today. It will also be included in GitHub Enterprise Server 3.4. Ruby joins the list of supported CodeQL languages, which also includes C/C++, C#, Java, JavaScript/TypeScript, Python, and Go.

We currently support all common Ruby versions, up to and including 3.02. Check out the documentation for more details on compatibility.

To start using the new Ruby analysis, simply update your existing workflow file by adding Ruby to the language matrix:

jobs:
  analyze:
    name: Analyze
    ...
    strategy:
      fail-fast: false
      matrix:
        # add here
        language: ['ruby']

If you’re new to code scanning, set up a CodeQL analysis workflow from the Security tab in your repository.

Want to contribute or write your own CodeQL queries for Ruby? This guide will help you get started.

To give us feedback, join the Ruby beta discussion in the public CodeQL repository, which is also a good place to ask questions about anything CodeQL.

See more

Code scanning runs analysis tools that scan your code on the triggers defined in your .yml Actions workflow file. The default CodeQL workflow analyzes your code each time you push a change to the default branch and when you raise a pull request against the default branch.

We have made some improvements for users who are not able to run analyses using the default on:pull_request GitHub Actions trigger). These changes will make it easier to use code scanning for users of other CI/CD platforms, as well as users who can only use the on:push triggers in Actions.

Scanning pull requests (using GitHub Actions)

If you use GitHub Actions, we recommend that you configure code scanning to analyse all pull requests using the on:pull_request trigger in the Actions workflow (default). Developers will see code scanning results right in their pull requests, alongside the code review by their colleagues.

The pull_request trigger also produces the most accurate results: alerts shown on the pull request are identified by comparing the results for the pull request merge commit against the target branch baseline. This best reflects the future state of the code after the pull request has been merged.

Scanning code on every push (using GitHub Actions)

You can also scan your code using the on:push triggers, which will perform a scan each time you push code to a branch (regardless of whether there is a pull request).

Previously, alerts identified in on:push workflows would not show up on any pull request. However, our recent changes have improved this. When an on:push scan returns results that we can map to a pull request, we will flag up these alerts on the PR. The alerts shown on the PR are those identified by comparing the existing analysis of the head of the branch to the analysis for the target branch that you are merging against. Note that if the pull request's merge commit is not used, alerts can be less accurate when compared to the approach that uses on:pull_request triggers.

This is a less cost effective way to use code scanning because your code will be analysed each time you push to the branch, even before a pull request is opened.

If you scan both on:push and on:pull_request, we will choose to show the results from the merge analysis.

Scanning on push (or for every commit) using other CI/CD systems

Some other CI/CD systems can exclusively be configured to trigger a pipeline when code is pushed to a branch, or even exclusively for every commit. This is a less cost effective way to run code scanning, but with our recent improvements we will now provide alerts in developers' pull requests using this approach. Whenever such an analysis pipeline is triggered and results are uploaded to the SARIF API, code scanning will try to match the analysis results to an open pull request. If an open pull request is found, the results will be published as described above.

How do I update my Actions workflow to use the pull_request trigger?

  1. If you are setting up code scanning for the first time, use the default CodeQL analysis workflow which will scan the merge commit on pull request.

  2. If you have setup code scanning to scan on push and would like to update it to scan on the pull request, update your .yml workflow file to look like this:

on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]

You will still need to analyze your default branch on:push because it provides the base analysis for the comparison.

  1. If you have setup code scanning to scan the head commit on pull request and would like to update it to scan the merge commit, delete the following lines from your .yml workflow file:
     - run: git checkout HEAD^2
       if: ${{ github.event_name == 'pull_request' }}

Read more about setting up code scanning using Actions.

See more

We've added support for Java 16 standard language features (such as records and pattern matching) to CodeQL. Code using those features can now benefit from CodeQL's security analysis as part of code scanning.

We also continue to support older Java versions. CodeQL is able to analyze code written in Java version 7 through 16.

Learn more about CodeQL and code scanning.

See more

GitHub code scanning with CodeQL works seamlessly with GitHub Actions. For users of other CI/CD systems, we provided a way to run the code analysis using the CodeQL runner. The CodeQL runner acts as the glue between your CI/CD system and the CodeQL analysis engine (CLI).

In response to customer feedback, we have now transferred all CodeQL runner functionality natively into the CodeQL CLI. This means that there are fewer components to install, use, and update if you're running CodeQL code scanning on a 3rd party CI/CD system.

As of CodeQL CLI 2.6.2 (released today), there is now full feature parity between the CodeQL CLI and the runner. We are therefore announcing the deprecation of the CodeQL runner. This affects users of 3rd party CI/CD systems; users of CodeQL code scanning on GitHub Actions are not affected.

Deprecation timeline: GitHub Enterprise Server (GHES)

The CodeQL runner will continue to be part of the GitHub Enterprise Server releases up to and including the 3.3.x series. It will no longer be part of GitHub Enterprise Server starting the 3.4.0 (scheduled for 2022). The CodeQL CLI is a feature-complete replacement for the CodeQL runner, and is fully compatible with GitHub Enterprise Server.

Deprecation timeline: GitHub.com (including GitHub Enterprise Cloud)

The CodeQL bundle will continue to contain the CodeQL runner until March 2022. In the run-up to the final release we will start displaying clear deprecation warnings. After March 2022, code scanning API change on GitHub.com will likely not be compatible with older CodeQL runner releases. The CodeQL CLI is a feature-complete replacement for the CodeQL runner, and is fully compatible with GitHub.com.

How does this affect me?

If you’re using CodeQL code scanning on GitHub Actions, you are not affected by this change.

If you’ve configured code scanning to run the CodeQL runner inside another CI/CD system, we recommend migrating to the CodeQL CLI as soon as possible. Version 2.6.2 of the CodeQL CLI has full feature parity with the CodeQL runner and allows you to analyze codebases on 3rd party CI/CD systems in the same way as the CodeQL runner.

New users of CodeQL code scanning should use CodeQL CLI version >= 2.6.2.

What actions should I take?

You should configure your CI/CD system to use the CodeQL CLI before March 2022 and/or before upgrading to GHES 3.4.0. When setting up the CodeQL CLI, we recommend that you test the CodeQL CLI set up to verify that the CLI is correctly configured to create and analyze databases.

Learn more about how to migrate from the CodeQL runner to CodeQL CLI 2.6.2 here.

See more

You can now easily find all alerts associated with your pull request with the new pull request filter on the code scanning alerts page.

To show all the code scanning alerts for a specific pull request, type 'pr:123' in the Filter alerts text box. This will return both the alerts that the pull request introduces and the existing alerts on the branch.

PR filter

The pull request checks page shows the alerts introduced in a pull request, but not existing alerts on the pull request branch. The new "View all branch alerts" link on the Checks page takes you to the code scanning alerts page with the specific PR filter already applied, so you can see all the alerts associated with your PR. This can be useful to manage lots of alerts, and to see more detailed information for individual alerts.

View all code scanning alerts screenshot

See more

The CodeQL package manager is now available in public beta on GitHub.com. CodeQL packages can contain CodeQL queries and CodeQL libraries — and of course you can express dependencies between packs. You can upload your packs to the package registry on GitHub.com, and CodeQL will automatically fetch any required dependencies when running queries from a pack. This makes it simple to create and share CodeQL queries and libraries!

CodeQL packs of course also integrate with GitHub code scanning (example below). Alternatively, you can use packs using the CodeQL CLI (version 2.6.0-beta.1 and up) on your local machine. More documentation about CodeQL packs can be found here.

Integrating CodeQL packs into GitHub code scanning workflows

You can integrate CodeQL packs into GitHub code scanning workflows by specifying that you want to run the CodeQL 2.6.0 beta version, and then specify the pack(s) you'd like to run. For example:

 - uses: github/codeql-action/init@v1
   with:
     tools: https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.6.0-beta.1
     packs: codeql/csharp-queries1@~1.2.3, octo-org/csharp-security

Alternatively, you can select CodeQL packs by specifying a list of package references in the packs section of your CodeQL configuration file. For example:

     - queries/DeadCodeCondition.ql
     - queries/GlobalUseBeforeInit.qls
   packs:
     - codeql/csharp-queries@~1.2.3  # latest version compatible with 1.2.3
     - octo-org/csharp-security      # latest version 

For more information, see Configuring code scanning.

Standard CodeQL packs

All of our own CodeQL queries and libraries are now also released as CodeQL packs at github.com/codeql.

For each language there is a query pack containing all CodeQL queries for that language (from our open source repository). These packs are named codeql/<language>-queries. For example, the CodeQL pack containing the standard C/C++ queries is called codeql/cpp-queries.

We've also released packs with all CodeQL standard libraries for each language. These packs are named codeql/<language>-all (e.g. codeql/cpp-all). If you're writing your own query pack, you'll likely want to express a dependency on the CodeQL standard libraries for that language.

CodeQL pack visibility

You can choose the permission levels required for users to view and access your CodeQL packs. Currently, all CodeQL packs default to Internal and should manually be set to Public. If you want to make your CodeQL pack visible to everyone, go to the settings section of the package and Change package visibility to Public.

Downloading CodeQL packs

All CodeQL packs can be downloaded and installed using the CodeQL CLI. You do not need to use the docker pull command shown on the package page. For more information, see Publishing and using CodeQL packs.

For more information, see About CodeQL packs.

See more

We have shipped improvements to the code scanning alerts branch filter! These changes make it clearer which code scanning alerts are being displayed on the alerts page.

By default, the code scanning alerts are filtered to show alerts for the default branch of the repository only. You can use the branch filter to display the alerts on any of the non-default branches. Any branch filter that has been applied is shown in the search bar.

We have simplified the search syntax to the format branch: You can use this syntax multiple times in the search bar to filter on multiple branches. The previous syntax ref:refs/heads/[branch name] is still supported, so any saved URLs will continue to work.

Branch filter

See more

New severity levels for security alerts

We now show security-severity levels for CodeQL security alerts in code scanning. security-severity levels help you understand in more detail the risks posed by security alerts, allowing you to assess the potential impact of the alerts, and make the right decision on which alerts to fix first. The severity level of security alerts can be critical, high, medium, or low.

The new security-severity levels are displayed on all security alerts. For example, if a PR triggers security alerts, the security-severity is visible on the alert annotations under the Files changed tab. You can also see the security-severity for each alert present in a repository by clicking Security > Code scanning alerts.

security-severity

About security severity levels

Security severity levels are displayed on code scanning alerts that are generated by security queries.
CodeQL automatically calculates security-severity levels and assigns an exact numerical score to each security query. To calculate the security-severity of an alert, we first group all CVEs reported by the CWEs assigned to the security query. We then calculate the 75th percentile of the CVSS score for those CVEs. Finally, we translate numerical scores to critical, high, medium, or low using the following definitions:

Severity Score Range
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

Defining which security-severity levels cause pull request check failure

By default, any code scanning alerts with a security-severity of critical or high will cause pull request check failure. You can specify which security-severity level for code scanning results should cause check failure by going to the Security & Analysis tab in the repository settings.

security-settings

Severity levels for non-security alerts

Severity levels for non-security alerts remain as error, warning, or note. By default, any code scanning results with the severity of error will cause check failure. You can change this setting using the dropdown on the Security & Analysis tab in the repository settings. It allows two selections that apply to the security and non-security alerts.

Security severity levels in the code scanning API

You can also access security_severity_level data for security queries using the /alerts endpoint of the code scanning API.

How to add security-severity to a CodeQL query

You can add the expected security-severity level to the your custom security queries by adding the numerical score to the @security-severity query metadata property in the .ql file.

The new security-severity levels for security queries have been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.2.

Learn more about CodeQL and code scanning by reading the documentation.

See more