{"id":28264,"date":"2021-07-07T15:25:27","date_gmt":"2021-07-07T15:25:27","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cppblog\/?p=28264"},"modified":"2021-07-07T15:25:27","modified_gmt":"2021-07-07T15:25:27","slug":"code-scanning-with-github-actions","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cppblog\/code-scanning-with-github-actions\/","title":{"rendered":"Code Scanning C++ with GitHub Actions"},"content":{"rendered":"

Last year, GitHub released code scanning<\/a>, which enables developers to incorporate security checks into their CI\/CD environment and developer workflow. This post demonstrates the basics of using CodeQL, the analysis engine behind code scanning, with GitHub Actions.<\/p>\n

What is CodeQL?<\/h2>\n

CodeQL<\/a> is an analysis engine that automates security checks by running queries against a database generated from your codebase. This CodeQL database is created during the build process and represents the source code in relational form. By default, code scanning runs standard CodeQL queries written by GitHub researchers and the community, but you can also author your own custom queries.<\/p>\n

The default set includes queries such as \u201cPointer overflow check\u201d, \u201cPotentially overflowing call to snprintf\u201d, \u201cUncontrolled format string\u201d, and more.<\/p>\n

 <\/p>\n

\"Image<\/a><\/p>\n

Setting up CodeQL with GitHub Actions<\/h2>\n

Code scanning with CodeQL is free for public repositories, and is part of GitHub Advanced Security for GitHub Enterprise. Here are instructions for the quick, 4-click setup process<\/a>. Alternatively, I\u2019ve included a gif of the steps below:<\/p>\n

\"Image<\/a><\/p>\n

And just like that, you\u2019re off to the races! The default CodeQL analysis workflow is configured to analyze your code each time you push a chance or raise a pull request against the default branch. This means code scanning automatically happened after I committed the new file directly to the main branch.<\/p>\n

You can view the logging output<\/a> of the scan under the Actions tab, and you can view\/manage any code scanning alerts<\/a> under the Security tab.<\/p>\n

Baselining<\/h2>\n

Sometimes, especially for large legacy codebases, the number of alerts can be overwhelming. For that reason, CodeQL only shows new\/fixed alerts in pull requests. If you want to manage existing alerts, you can do so in the \u201cCode scanning alerts\u201d section under the \u201cSecurity\u201d tab.<\/p>\n

\"Image<\/a><\/p>\n

It\u2019s important to understand the distinction between Dismiss <\/em>and Delete<\/em>. One key distinction is that by Dismissing <\/em>an alert, the same code won\u2019t regenerate the alert. By Deleting<\/em> an alert, the same code will generate the same alert the next time it is scanned. In the case that you want to bulk-dismiss alerts, you can do this from the summary of alerts (after filtering the list to whatever set of alerts you\u2019d like to dismiss).<\/p>\n

Feedback<\/h2>\n

This post just scratches the surface of code scanning in your CI\/CD environment. Once you get the understand the basics, you may choose to author your own custom CodeQL queries or adjust the frequency of scanning. We hope you give code scanning with GitHub Actions a try, and we look forward to your feedback.<\/p>\n","protected":false},"excerpt":{"rendered":"

Last year, GitHub released code scanning, which enables developers to incorporate security checks into their CI\/CD environment and developer workflow. This post demonstrates the basics of using CodeQL, the analysis engine behind code scanning, with GitHub Actions. What is CodeQL? CodeQL is an analysis engine that automates security checks by running queries against a database […]<\/p>\n","protected":false},"author":329,"featured_media":28274,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28264","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cplusplus"],"acf":[],"blog_post_summary":"

Last year, GitHub released code scanning, which enables developers to incorporate security checks into their CI\/CD environment and developer workflow. This post demonstrates the basics of using CodeQL, the analysis engine behind code scanning, with GitHub Actions. What is CodeQL? CodeQL is an analysis engine that automates security checks by running queries against a database […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/28264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/users\/329"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/comments?post=28264"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/28264\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media\/28274"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media?parent=28264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/categories?post=28264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/tags?post=28264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}