Lmst

[Перевод] Как GitHub использует CodeQL для обеспечения безопасности

Что происходит, когда GitHub берётся за собственную безопасность? Они пишут код для защиты кода — и активно используют для этого CodeQL. В этой статье команда Product Security Engineering рассказывает, как настроить масштабный автоматический анализ уязвимостей, зачем создавать свои пакеты запросов и как с помощью CodeQL находить ошибки, которые невозможно поймать обычным поиском по коду.

https://habr.com/ru/companies/otus/articles/905630/

#CodeQL #github #безопасность_кода #уязвимости #GitHub_Advanced_Security #пакет_запросов #вариантный_анализ #cicd #анализ_уязвимостей

GitHub CodeQL Actions Critical Supply Chain Vulnerability (CodeQLEAKED)

https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/

#HackerNews #GitHub #CodeQL #CodeQLEAKED #SupplyChain #Vulnerability #CyberSecurity

I worked on the remediation of this vulnerability. It’s not great that we let this slip through, and it took two weeks of work to verify that nothing bad had been leaked. But overall, it was a good process, the disclosure process made sure we fixed the bug quickly, and I learned a lot.

Also, the reporter walked away with a tidy sum of $$$.

https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/

#github #codeql #security

Created a #CodeQL Cheat Sheet to document what I struggled with recently:

https://scrapco.de/codeql-cheat-sheet/cpp/cpp-conditionals-cfg/

Will push updates as they pop to my mind. Contributions/ideas are also most welcome!

https://github.com/v-p-b/codeql-cheat-sheet

I got badly nerd sniped by Qualys:

Dreams in #CodeQL - Quest for the Perfect GOTO

https://scrapco.de/blog/dreams-in-codeql-quest-for-the-perfect-goto.html

I'm pleased with how this turned out. For the past few months with a lot of other people, I've been working on making #GitHub #Actions workflows are more secure using CodeQL. Here are the results:

https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/

Now all public repositories on GitHub can opt in and make their code more secure with almost no effort.

#github #actions #security #CodeQL

Announcing #CodeQL Community Packs

https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/

🔍Researcher Eviatar Gerzi uncovered 2 vulnerabilities in #Portainer! 🛡️

Learn how #CodeQL helped identify a blind SSRF and insecure encryption in this popular container management tool.

Read the full analysis here:

https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-vulnerabilities-in-portainer-with-codeql

Now available for free on all public repositories: #Copilot Autofix for #CodeQL code scanning alerts · #GitHub https://github.blog/changelog/2024-09-18-now-available-for-free-on-all-public-repositories-copilot-autofix-for-codeql-code-scanning-alerts/

#GitHub made #Copilot Autofix for #CodeQL free for all public repositories

https://github.blog/changelog/2024-09-18-now-available-for-free-on-all-public-repositories-copilot-autofix-for-codeql-code-scanning-alerts/

GitHubs CodeQL action is quite finicky. It raises an error if it cannot analyze one of the languages it has initialized. Using the detected languages might pick up a language you're not going to build. Specifying all languages you might build will include some you will not build.

Ended up doing a continue-on-error:true for the analysis step as a workaround.

I don't think the action design is correct here.

#github #codeql

Hey #PowerShell people: Want #GitHub #CodeQL to support PowerShell?

Let your voices be heard:

https://github.com/github/codeql-action/issues/2366

[Перевод] Устранение уязвимостей в системе безопасности с помощью искусственного интеллекта

В ноябре 2023 года GitHub объявил о запуске Code Scanning Autofix , который с помощью искусственного интеллекта предлагает исправления уязвимостей безопасности в кодовых базах пользователей. В этой статье мы расскажем о том, как работает Autofix, а также о системе оценки, которую мы используем для тестирования.

https://habr.com/ru/companies/otus/articles/819361/

#codeql #уязвимости #github #безопасность

#codeql is really cool, and they have a bug bounty program :)

Series on code static analysis using CodeQL
Credits Sylwia Budzynska

"CodeQL zero to hero"

Part 1: https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/
Part 2: https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/
Part 3: https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/

#codeql

In an example project, we have significantly expanded the GitHub CI pipeline – it now includes
• pre-commit hooks
• building of Python packages
• testing against the built wheels
• determining the test coverage
• building the documentation
• checking the code quality

https://github.com/veit/items/actions/runs/8908765421

#Python #GitHub #CICD #CodeQL #pytest

CI pipeline with pre-commit, building and inspecting Python packages, testing against multiple Python versions, building docs, test coverage.

Found means fixed: Introducing #code scanning autofix, powered by #GitHub #Copilot and #CodeQL

https://github.blog/2024-03-20-found-means-fixed-introducing-code-scanning-autofix-powered-by-github-copilot-and-codeql/

Нещодавній запуск публічної бета-версії функції автоматичного виправлення вразливостей при скануванні коду на GitHub став справжнім проривом у сфері цифрової безпеки та розробки програмного забезпечення.

#AI #CODEQL #GitHub #Автоматизація #ШІ

https://thetransmitted.com/ai/github-predstavyv-instrument-dlya-avtomatychnogo-vypravlennya-vrazlyvostej-u-kodi-na-bazi-shi/

#GitHub’s new #AI-powered tool auto-fixes #vulnerabilities in your code
Known as Code Scanning Autofix and powered by #GitHubCopilot and #CodeQL, deal with over 90% of alert types in #JavaScript, #Typescript, #Java, and #Python. "When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss"-GitHub
https://www.bleepingcomputer.com/news/security/githubs-new-ai-powered-tool-auto-fixes-vulnerabilities-in-your-code/

It's really impressive what #github has achieved in the past 2 years.

From creating the obvious AI brain to assist developers on daily tasks to, recently announced and introduced, autofix code security scanning.

I can't wait to see what's next for tooling and developer experience.

A way to keep an eye on what's coming is to visit github next at https://githubnext.com/

#ai #codeql #security #developers #softwaredevelopment

#CodeQL

Client Info