CodeQL Setup - EL-Kae/SAST_DAST_Tools GitHub Wiki

Below is the step by step process to set up our SAST tool on a repo. Advanced security should be turned on by default but if not those steps are included here. In this example we will be enabling this tool on an imaginary repo.

  1. Go to the repo’s specific setting "Settings" > "Security" > "Code security and analysis”.

  2. Click on the “Enable” button for “Github Advanced Security”.

  3. Then agree to the prompt by clicking “Enable Advanced Security for this repository”.

  4. Next to “Code scanning” click on the “Set up” button, this will redirect you to the code scanning page.

  5. Click on “Set up this workflow” in the “CodeQL Analysis” box.

  6. Once in the editor, delete the entire file and replace the content with the sast template.

  7. This file is the master file that should be used in all repositories regardless of the programming language. This file runs security scans on most major programming languages.

  8. Once you’re done editing the file click on the green “Start commit” button.

  9. Give a description of what was done.

  10. And lastly commit your changes by clicking on the green “Commit changes” button.

  11. Once the file has been created and pushed to the default branch, the action should start automatically.

  12. Wait for the run to finish and view your results.

  13. This process described above only needs to be done once, at the beginning of the development lifecycle. Once done, the scan will run every time there is new code pushed to the default branch or a pull request is merged. Set it and forget it.