π Short link for this resource: go.techtrainertim.com/codeql
- π‘οΈ CodeQL & GitHub Advanced Security: Ultimate Resource Hub
- π Table of Contents
- π Quick Start
- π¬ Contact Information
- π§ Microsoft Learn Modules
- π Pluralsight Courses
- π§° Tools & Resources
- π€ GitHub Copilot
- π‘οΈ GHAS Security Features
- ποΈ Sample CodeQL Workflow
- π§βπ» CI/CD & Security Automation
- π Best Practices & Pro Tips
- π οΈ Troubleshooting & FAQ
- π£οΈ Community & Support
- π Glossary
- π Further Learning
- π Certification Paths
- π€ Contribute & Feedback
- Enable GitHub Advanced Security (docs)
- Add the CodeQL workflow (sample YAML)
- Push code or open a PR to trigger scanning
- Review alerts in the Security tab
- Fix, commit, and repeat!
- Code Scanning with GitHub CodeQL
- Configure Code Scanning on GitHub
- Identify Security Vulnerabilities Using CodeQL
- GitHub Advanced Security Overview
- Maintain a secure repository by using GitHub best practices
- Introduction to GitHub Copilot
- Implementing Software Supply Chain Security with GitHub
- Enabling Secure Software Development in GitHub
- GitHub CodeQL Documentation
- CodeQL CLI
- SARIF Viewer for VS Code
- GitHub Security Lab
- OWASP Top 10
- SBOM Overview
- Copilot Documentation
- Copilot Best Practices
- Copilot Chat Cookbook
- Essentials of GitHub Copilot (Learning Pathway)
- Introduction to GitHub Copilot (MS Learn)
- Copilot Certification Study Guide
- CodeQL: Static code analysis for vulnerabilities (docs)
- Dependabot: Automated dependency updates (docs)
- Secret Scanning: Detect secrets in code (docs)
- Copilot: AI-powered code suggestions (docs)
name: "CodeQL"
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 8 * * 4'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['javascript']
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2- Dependabot: Enable automated dependency updates
- Secret Scanning: Prevent secrets in code
- SBOM Generation: Generate SBOMs in CI
- Sample GitHub Actions Security Workflow:
GitHub Actions Security Best Practices
- DRY & SOLID: Modularize queries and workflows for reuse and clarity.
- Fail Fast: Use
fail-fast: falsein matrix jobs for full coverage. - Observability: Integrate structured logging (e.g., Winston for Node.js).
- Shift Left: Run scans on every PR, not just main.
- Security Gates: Block merges on critical findings (branch protection docs)
- SBOMs: Always generate and store SBOMs for compliance.
- CodeQL Action Fails?
- Check GitHub Actions logs
- Validate your workflow YAML with YAML Lint
- No Alerts Showing?
- Ensure your repo has supported languages and code
- Confirm GHAS is enabled
- SARIF Not Rendering?
- Use the SARIF Viewer
- Need More Help?
- CodeQL: Query language for code analysis.
- GHAS: GitHub Advanced Security.
- SARIF: Static Analysis Results Interchange Format.
- SBOM: Software Bill of Materials.
- Secret Scanning: Automated detection of secrets in code.
- Dependabot: Automated dependency update tool.
- Copilot: AI-powered code completion and chat.
- GitHub Security Blog
- YouTube: GitHub Security
- OWASP Cheat Sheet Series
- Cybersecurity for Beginners (Microsoft)
- GitHub Certifications Overview
- Register for GitHub Certifications
- GitHub Advanced Security Certification
- GitHub Copilot Certification
- GitHub Actions Certification
- GitHub Foundations Certification
- SC-900: Security, Compliance, & Identity Fundamentals
- SC-100: Cybersecurity Architect
- SC-200: Security Operations Analyst
- SC-300: Identity and Access Administrator
- Spot a broken link or want to suggest a resource?
Open an issue or PR or contact Tim directly.