IntermediateLesson 3 of 10

Code Scanning

Use static code analysis to detect security flaws early in pull requests and on main branch.

Simple Explanation (ELI5)

Code scanning is like an automated security reviewer that reads your code and flags risky patterns before merge.

Technical Explanation

Code scanning analyzes source or build artifacts for security issues such as injection flaws, insecure deserialization, and unsafe cryptography. In GHAS, CodeQL queries produce findings mapped to source lines and data flow paths.

Visual Section

PR Commit

→

CodeQL Analyze

→

Alert Created

→

Fix + Re-run

Hands-on Commands

yaml

name: codeql-analysis
on:
  pull_request:
  push:
    branches: ["main"]
jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      matrix:
        language: ["javascript"]
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/analyze@v3

Debugging Scenarios

No findings expected but scans fail: Check build dependencies and language detection.
False positive alert: Verify code path, add reviewed suppression if justified.
Scan timeout: Optimize build steps or use larger runner.
PR blocked unexpectedly: Confirm required check names in branch protection.

Real-world Use Case

Code scanning detected a SQL injection pattern in a dynamic query builder. Team replaced string concatenation with parameterized queries before release.

Interview Questions

Beginner

What is static code analysis?▾

Analyzing code without executing it to find defects and vulnerabilities.

What does CodeQL do?▾

Runs semantic queries over code databases to detect security issues.

Why run scans on PRs?▾

To prevent introducing vulnerabilities into main.

What is SARIF alert mapping?▾

Associating findings to exact file and line context.

Can code scanning replace pen tests?▾

No, it complements but does not replace dynamic and manual testing.

Intermediate

How reduce false positives responsibly?▾

Validate trace path, tune rules, and suppress with documented justification.

What checks should block merge?▾

At minimum high and critical severity unresolved findings.

How handle monorepo scanning?▾

Use path filters and matrix strategy per language/component.

Why security-events permission required?▾

To upload scan results back to GitHub security UI.

When run full vs incremental scans?▾

Incremental on PRs, full-depth scheduled on main/nightly.

Scenario-based

Critical alert appears in release PR. Action?▾

Block merge, apply fix, rerun scans, and document remediation.

Team says scan is too slow.▾

Scope PR scans, cache dependencies, and schedule deep scans off critical path.

Same finding repeatedly reopens.▾

Root cause not fully fixed or vulnerable pattern reintroduced; add secure coding guardrails.

Security finding in third-party generated code.▾

Exclude generated paths or patch generator pipeline if controllable.

Developer disputes finding severity.▾

Evaluate exploitability with security team and adjust severity policy if warranted.

Summary

Code scanning brings security review into normal PR flow and prevents vulnerable code from reaching production.

PreviousIntroduction to GHAS ← Back to Course NextSecret Scanning