How can we enhance GitHub Code Scanning in the Web-Tracking aspect?

[kiran-spikewell]

Select Topic Area

Question

Body

Hey Folks!!
I did research a few ways to enhance web tracking aspect in GitHub Code Scanning especially with CodeQL but it seems like I am doing something wrong. So I will be explaining my concerns and the work which I did in past few weeks. Here we go!

My Concern!
I do research for web trackers and similar types of vulnerabilities present in Open-Source repositories which may affect the user's privacy & security. I did research with CodeQL, but CodeQL seems failed in doing my job. So, I went on doing different stuffs.

What I did?
I created a custom script say "detect-google-analytics.ql" which will search TypeScript and JavaScript files to determine If there's a hidden tracker present.

What the problem I am facing?
Whenever this setup runs in a repository, It doesn't give any alerts when I intentionally added a google analytics tracker (It can't able to find any alerts). So, how can we able to enhance this in SAST based scanning?

[jketema]

Hi @kiran-spikewell,

Before setting this up in CI, did you test on a local database that your query actually behaves as expected?

Note that there's a typo in your initialize step: queires: should be queries:

[kiran-spikewell]

@jketema, Thank You to point out the typo! That was a forked Open-Source repo on which I was testing my custom script. I didn't run the package in local.

[jketema]

I'm don't this there's more we can do at this point. That would need further details.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬