Finally, after few weeks of waiting, I got the beta access to GitHub code scanning!
I forked WebGoat to give it a spin.
Navigate to security tab, and look for ‘code scanning alert’ to set it up.
this landed me to the CodeQL Analysis,
okay, no surprise, this is implemented by GitHub action. So not really a surprise.
The default version is like this:
name: "CodeQL"on:
push:
branches: [develop, ]
pull_request:
# The branches below must be a subset of the branches above
branches: [develop]
schedule:
- cron: '0 17 * * 4'jobs:
analyse:
name: Analyse
runs-on: ubuntu-lateststeps:
- name: Checkout repository
uses: actions/checkout@v2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
# Override language selection by uncommenting this and choosing your languages
# with:
# languages: go, javascript, csharp, python, cpp, java# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language#- run: |
# make bootstrap
# make release- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
since I already had a maven build from last experiment, now every commit will trigger two workflow.
A few things that I have to change to make it suitable for WebGoat,
— change the build to use ‘mvn clean install’
— add ‘-DskipTests’ to save some time
— add step to setup JDK11
Now when I go back to the security tab, it leads me to ‘view alerts’
Here is a list of defects:
Issue filtering:
take a close look at some defects:
another one:
I tried to fix “Inefficient regular expression” defects and checked in.
a pleasant surprise…
my observations:
the stunning design:
1. The results of the scanning is directly available in security tab;2. The issues are presented in source context with annotation.3. Recommendations and remediation are given.4. The defect reporting made reference to OWASP top 10, CERT Java, and CWE.5. Ability to filter defects by severity, open date, branches, tag, rule, etc.6. Defect is automatically closed if it is no longer detected in later CI jobs.
my wishes:
1. I wish the defects to be created under issues tab.2. The code scanning is not able to detect the language and package manager by itself.3. There seems no way to multiple GitHub action runs in one go.4. Findings for benchmark projects like WebGoat and NodeGoat is too little.
