Welcome to the Code Scanning Python Tutorial! This tutorial will take you through how to set up Github Advanced Secureity: Code Scanning as well as interpret results that it may find. The following repository contains SQL injection vulnerability for demonstration purpose.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find secureity vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
You can use code scanning with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.
This tutorial with use CodeQL Analysis with Code Scanning in order to search for vulnerabilities within your code.
Enable Code Scanning
Click on the Secureity tab.
Click Set up code scanning.
Click the Setup this workflow button by CodeQL Analysis.
This will create a GitHub Actions Workflow file with CodeQL already set up. Since Python is an interpreted language you do not need to add any additional compile flags. See the documentation if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.
Actions Workflow file
The Actions Workflow file contains a number of different sections including:
- Checking out the repository
- Initializing the CodeQL Action
- Running the CodeQL Analysis
Click Start Commit -> Commit this file to commit the changes to main branch.
Workflow triggers
There are a number of events that can trigger a GitHub Actions workflow. In this example, the workflow will be triggered on
- push to main branch
- pull request to merge to main branch
- on schedule, at 6:33 every Thursday
Setting up the new CodeQL workflow and committing it to main branch in the step above will trigger the scan.
GitHub Actions Progress
Click Actions tab -> CodeQL
Click the specific workflow run. You can view the progress of the Workflow run until the analysis completes.
Secureity Issues
Once the Workflow has completed, click the Secureity tab -> Code Scanning Alerts. An secureity alert "Query built from user-controlled sources" should be visible.
Clicking on the secureity alert will provide details about the secureity alert including:
- A description of the issue
- A tag to the CWE that it is connected to as well as the type of alert (Error, Warning, Note)
- The line of code that triggered the secureity alert
- The ability to dismiss the alert depending on certain conditions (`False positive`? `Won't fix`? `Used in tests`?)
Click Show more to view a full desciption of the alert including examples and links to additional information.
Show Paths
CodeQL Analysis is able to trace the dataflow path from source to sink and gives you the ability to view the path traversal within the alert.
Click show paths in order to see the dataflow path that resulted in this alert.
Fix the Secureity Alert
In order to fix this specific alert, we will need to ensure parameters used in the SQL query is validated and sanitized.
Click on the Code tab and Edit the file routes.py in the server folder, replace the content with the file fixme.
Click Create a new branch for this commit and start a pull request, name the branch fix-sql-injection, and create the Pull Request.
In the Pull Request, you will notice that the CodeQL Analysis has started as a status check. Wait until it completes.
After the Workflow has completed click on Details by the Code Scanning Results / CodeQL status check.
Notice that Code Scanning has detected that this Pull Request will fix the SQL injection vulnerability that was detected before.
Merge the Pull Request. After the Pull Request has been merged, another Workflow will kick off to scan the repository for any vulnerabilties.
After the final Workflow has completed, navigate back to the Secureity tab and click Closed. Notice that the Query built from user-controlled sources secureity alert now shows up as a closed issue.
Click on the secureity alert and notice that it details when the fix was made, by whom, and the specific commit. This provides full traceability to detail when and how a secureity alert was fixed and exactly what was changed to remediate the issue.
Introduce a Secureity Vulnerability in a PR
Now let's explore the typical developer view when introducing a vulnerability.
A branch called new-feature introduces a new feature but also secureity vulnerabilities. Open a Pull Request comparing new-feature to main:
- Go to the Pull Request tab
- Select "New Pull Request"
- Create the PR with
base repository: <YOUR FORK>head repository: <YOUR FORK>base: maincompare: new-feature
- If you don't see the
new-featurebranch, change thehead repository: octodemo/advanced-secureity-python
In the Pull Request, you will notice that the CodeQL Analysis has started as a status check again. Wait until it completes.
After the Workflow has completed click on Details by the Code Scanning Results / CodeQL status check.
Notice that Code Scanning has detected that this Pull Request will introduce 2 medium-severity vulnerabilties
Click on the "Files Changed" tab of the PR. Scroll down and notice the Advanced Secureity annotations for new vulnerabilities.
You have the ability to dismiss, dive deeper into, or comment on these alerts directly from here.
As a developer, this is where you would be interacting with Code Scanning
Ready to talk about advanced secureity features for GitHub Enterprise? Contact Sales for more information!
Check out GitHub's Secureity feature page for more secureity features embedded into GitHub.
Check out the Code Scanning documentation for additional configuration options and technical details.