CodeQL

By following this guide, you integrate CodeQL vulnerability scanning with SecDim’s interactive training, providing developers with immediate, context-sensitive resources to address security issues effectively.

Set Up CodeQL in Your Repository

Ensure that CodeQL is configured in your repository. If it’s not already set up, you can add the CodeQL GitHub Action to your workflow to scan for vulnerabilities.

Generate SARIF Output Using CodeQL

CodeQL can output its findings directly in SARIF format. To do this within a GitHub Actions workflow, add the following step:

- name: Run CodeQL to check for vulnerabilities
  uses: github/codeql-action/analyze@v2
  with:
    output: sarif
    sarif_file: codeql.sarif

This command runs CodeQL and saves the results in a file named codeql.sarif.

Upload the SARIF File to GitHub

To visualize the CodeQL scan results within GitHub’s Security tab, upload the SARIF file using the following step:

- name: Upload CodeQL SARIF results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: codeql.sarif

This step ensures that GitHub processes the SARIF file and displays the findings appropriately.

Integrate SecDim for In-Context Training

SecDim offers a GitHub Action that parses SARIF files and enriches them with links to interactive secure code training environments. Add the following step to your workflow:

- name: Run SecDim Sandbox Action
  uses: secdim/sandbox-action@v1.0.1
  with:
    input_sarif_file: codeql.sarif
    output_sarif_file: codeql.enriched.sarif

This action takes the original codeql.sarif file, processes it to include links to relevant SecDim Sandboxes, and outputs the enriched SARIF file as codeql.enriched.sarif.

Upload the Enriched SARIF File

To ensure that the enriched SARIF file, now containing in-context training links, is uploaded to GitHub, add the following step:

- name: Upload Enriched SARIF results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: codeql.enriched.sarif

This step ensures that GitHub processes the enriched SARIF file and displays the findings with links to SecDim’s interactive training.

Complete Example Workflow

name: CodeQL Analysis
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
    analyze:
        runs-on: ubuntu-latest
        steps:
        - name: Checkout code
            uses: actions/checkout@v2

        - name: Set up CodeQL
            uses: github/codeql-action/init@v2
            with:
            languages: 'javascript'

        - name: Run CodeQL to check for vulnerabilities
            uses: github/codeql-action/analyze@v2
            with:
            output: sarif
            sarif_file: codeql.sarif

        - name: Upload CodeQL SARIF results
            uses: github/codeql-action/upload-sarif@v2
            with:
            sarif_file: codeql.sarif

        - name: Run SecDim Sandbox Action
            uses: secdim/sandbox-action@v1.0.1
            with:
            input_sarif_file: codeql.sarif
            output_sarif_file: codeql.enriched.sarif

        - name: Upload Enriched SARIF results
            uses: github/codeql-action/upload-sarif@v2
            with:
            sarif_file: codeql.enriched.sarif