GHAS Certification Exam Prep: Part Three - CodeQL

[queenofcorgis]

This discussion and some of its comments have been edited and modified from its original format to enable evergreen learning

We’re halfway through our prep course for the GHAS certification exam, if you missed Part One’s Discussion and/or Part Two’s Discussion don’t worry feel free to get started and join us when you are caught up. Our latest installment will be focusing on the CodeQL topics in the exam.

Plus, prep materials and test questions to continue on studying.

Step One: Prep 📚

Use these materials to study before answering this week’s prep questions.

• Microsoft Learn Modules
  • Identify security vulnerabilities in your codebase by using CodeQL
  • Code scanning with GitHub CodeQL
• Study guides from @NickLiffen
  • Advanced CodeQL setup
  • Fine-tune testing scope with CodeQL
  • Bonus: Create a central CodeQL configuration file
• Study guides from @LadyKerr
  • Use code scanning with CodeQL
• Videos
  • GitHub Advanced Security - Pass the Exam from freeCodeCamp
    • CodeQL Section
  • Perform Security Code Analysis in GitHub with CodeQL and GitHub Actions
    • YouTube Video
• Community member materials
  • @Salgado2004's breakdown in their comment

Step Two: Test Your Knowledge ⚡

Question One: Where can you find the codeql.yml workflow file in your repository?

A) In the root directory
B) In the .github/ directory
C) In the scripts/ directory
D) In the src/ directory

Question Two:

What is the purpose of the codeql.yml workflow file in CodeQL advanced setup?

A) To initialize the CodeQL tools for scanning
B) To define test cases for CodeQL
C) To configure repository secrets
D) To manage repository dependencies

Question Three: What are the two options available when setting up CodeQL for the first time?

A) Basic and Advanced
B) Default and Custom
C) Default and Advanced
D) Basic and Custom

Question Four: What is the main benefit of using CodeQL for security analysis?

A) It encrypts all data
B) It compiles the code faster
C) It identifies potential security vulnerabilities
D) It monitors network traffic

View the answers in my comment 🧠

Use the discussion below to share additional study resources and respond to our prep questions

[RishavKumarSinha]

Always looking forward to these resources and question set, I find it to be a good way to jog my memory on the topic.

As for for the answers,

Q1. Option B
Q2. Option A
Q3. Option C
Q4. Option C

[davevad93]

Question One: Where can you find the codeql.yml workflow file in your repository?

• A) In the root directory
• B) In the .github/ directory
• C) In the scripts/ directory
• D) In the src/ directory

Question Two: What is the purpose of the codeql.yml workflow file in CodeQL advanced setup?

• A) To initialize the CodeQL tools for scanning
• B) To define test cases for CodeQL
• C) To configure repository secrets
• D) To manage repository dependencies

Question Three: What are the two options available when setting up CodeQL for the first time?

• A) Basic and Advanced
• B) Default and Custom
• C) Default and Advanced
• D) Basic and Custom

Question Four: What is the main benefit of using CodeQL for security analysis?

• A) It encrypts all data
• B) It compiles the code faster
• C) It identifies potential security vulnerabilities
• D) It monitors network traffic

[jccampanero]

Thank you very much for the new content!

These are my answers:

Question One: Where can you find the codeql.yml workflow file in your repository?

A) In the root directory
B) In the .github/ directory
C) In the scripts/ directory
D) In the src/ directory

Question Two: What is the purpose of the codeql.yml workflow file in CodeQL advanced setup?

A) To initialize the CodeQL tools for scanning
B) To define test cases for CodeQL
C) To configure repository secrets
D) To manage repository dependencies

Question Three: What are the two options available when setting up CodeQL for the first time?

A) Basic and Advanced
B) Default and Custom
C) Default and Advanced
D) Basic and Custom

Question Four: What is the main benefit of using CodeQL for security analysis?

A) It encrypts all data
B) It compiles the code faster
C) It identifies potential security vulnerabilities
D) It monitors network traffic

[gitstua]

👋🏽 Hi, @RishavKumarSinha @davevad93 @jccampanero

Great to see you practicing the answers here! Well done! 🚀

Have you started playing around with Advanced Security on public repos? Let the community here know if you have anything you are finding confusing - it's a great community who help each other!

[Salgado2004]

Hey @gitstua
Great contribution! 😅 I'm trying to get started with GHAS with my college project! Is pretty interesting, but also challenging.
What annoys me is that my code scanning is returning 0 vulnerabilities... and I don't know if I can trust my coding habilities to believe that 🤣

With this week's lesson, I'm gonna try to improve my code scanning setup. But, by now, if you want to take a look:
Here's my repo https://github.com/Salgado2004/Trabalho-Final-LPOO-UFPR

[jccampanero]

Hi @gitstua Stu,

I apologize for the late reply.

No, I haven't experimented with advanced security on public repositories, although we do utilize GHAS at work.

It's a great tool that aids us in enhancing our code in various ways.

I'm a huge fan of dependabot: it does an excellent job of alerting us about any vulnerabilities discovered in the libraries we employ in our projects and assists us in keeping our dependencies current

Secret Scanning is also quite useful: fortunately, we typically don't come across secret leaks, but when we do, the tool helps us manage the risk immediately.

Lastly, I view CodeQL as a Swiss army knife that helps us identify code vulnerabilities and improve our development work on a daily basis.

As I said, it is a great security suite!

[RishavKumarSinha]

Hello @gitstua,

I apologize for the delayed response. I've been quite busy with college exams over the past week, but I've finally finished them yesterday.

And yeah, I've have been tinkering with the security features on some of my public repositories. I'm particularly impressed with the automated security features that require minimal effort on our part.

[bos-hieu]

Question One: B
Question Two: A
Question Three: C
Question Four: C

I previously configured CodeQL using the default settings. Question two teaches me about advanced setup. Thank you for the materials.

[profile-palash]

Question 1: Where is the codeql.yml workflow file located?
Answer:B. In the .github/ directory.

Explanation

The .github/ directory is a standard location for configuration files related to GitHub Actions, including workflows like codeql.yml. This file defines the steps and actions involved in running CodeQL analysis on your repository.

Question 2: What is the purpose of the codeql.yml workflow file?

A) To initialize the CodeQL tools for scanning

Explanation

The primary purpose of the codeql.yml workflow file is to initialize the CodeQL tools for scanning. This involves setting up the environment, downloading the necessary CodeQL tools, and running the CodeQL analysis on the codebase.

While defining test cases or configuring repository secrets might be part of other workflow files, the codeql.yml file specifically focuses on preparing and executing the CodeQL analysis process.

Question 3: What are the two options available when setting up CodeQL for the first time?

Answer: C. Default and Advanced.

Explanation

The default setup provides a basic and streamlined configuration for CodeQL analysis, suitable for most projects. The advanced setup offers more granular control over the analysis process, allowing for customization to specific needs.

Question 4: What is the main benefit of using CodeQL for security analysis?

Answer: C. It identifies potential security vulnerabilities.

Explanation

CodeQL is a powerful static analysis tool that can automatically detect potential security vulnerabilities in your code. By analyzing the code's structure and logic, CodeQL can identify patterns that may indicate security risks, such as SQL injection, cross-site scripting (XSS), and buffer overflows.

[Salgado2004]

Facts! It's very organized!

Can you teach me how to do it? 😅

[queenofcorgis]

@Salgado2004

Our docs have you covered: check this one out!

but essentially you'll create a block with <details>

Tips for collapsed sections

You can add a header

You can add text within a collapsed section.

You can add an image or a code block, too.

   puts "Hello World"

Here is the markdown for it:

<details>

<summary>Tips for collapsed sections</summary>

### You can add a header

You can add text within a collapsed section. 

You can add an image or a code block, too.

```ruby
   puts "Hello World"

```

[Salgado2004]

Hmmm I see!
It's an HTML like syntax mixed with mardown! I forgot we could do that 😅 very nice
Thank you @queenofcorgis

[profile-palash]

Hi @Salgado2004
I'm glad you like the formatting !

To create this collapsible sections in GitHub
use <details> and <summary> tags. Place the content you want to hide within the <details> tag, after the <summary> tag like this :

**Section 1**

<details>
<summary>Subsection 1.1</summary>

Content for subsection 1.1.

<details>
<summary>Subsubsection 1.1.1</summary>

Content for subsubsection 1.1.1.
</details>
</details>

**Section 2**

<details>
<summary>Subsection 2.1</summary>

Content for subsection 2.1.
</details>

Output :

Section 1

Subsection 1.1

Content for subsection 1.1.

Subsubsection 1.1.1

Content for subsubsection 1.1.1.

Section 2

Subsection 2.1

Content for subsection 2.1.

---

You can nest these tags for hierarchical structures.
I hope this helps! Let me know if you have any other questions.

[profile-palash]

Hey @queenofcorgis, I switched to collapsible sections this week for a cleaner explanation. So happy you liked it! 😊

[Salgado2004]

Hey guys!

I really enjoyed this week's content, I've never heard of CodeQL before and now I'm really interested in configuring and using it for my projects. It's a great quality tool and have so many possibilities 🥹 I wanna try them all.

Well, here's my breakdown for scanning with CodeQL 🚀 (As a reminder, you can always use the discussion to improve my comments and answer my questions):

Domain 5: Use code scanning with CodeQL

Explain how CodeQL enables code scanning

• Describe CodeQL:
  CodeQL is an engine used to analyse code and generate security alerts. It works by basically turning code into relational data and then querying that data (it's magical🌟, really) to generate alerts for vulnerabilities, bugs, etc.
• Define a QL pack, code query, code suite:
  Packs, queries and suites are concepts from CodeQL:
  • A code query is (literally) a query in the code database that is created for the analysis. Just like a SQL query, it is how you select and filter the results. You can declare custom queries with a .ql file.
  • A code suite is a colletion of queries, that can be imported in your CodeQL workflow and execute all of them in order of declaration. The code suites are declared using YAML in .qls files.
  • A QL pack is an organization structure (can I say they're like Java packages??) to keep queries, libraries, suites, metadata, and more. It is very useful to share and run pre-defined workflows in diferent environments. It is also declared using YAML.
• Describe the default CodeQL query suites:
  Default query suites are pre-defined suites from CodeQL that you can import in your workflow and run your analysis, without having to create any queries. Some of the default queries are code-scanning, security-extended, and security-and-quality. Each of them serve different purposes and provide different levels of precision.
• Describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted language:
  To sum up, there's 3 steps: Turn code into data, query the data, and understand the results.
  1. In the first step, you "prepare the soil". To run the analysis, CodeQL generates a database of relational data from your code. It does that using tools called extractors, there is one for each language supported in CodeQL. The database includes a representation of the abstract syntax tree, the data-flow, the control flow and has 2 main tables: expressions and statements<sup>1</sup>
  2. The second step is where the magic happens. All the queries declared in your workflow or query suite are executed against the database to retrieve data. There are 2 types of queries: alert queries and path queries. They are written using something called "QL Syntax".
  3. The last step is where you convert the results in understandable data, that can be turned into security alerts. The code queries contain metadata that helps interpreting them.

Use CodeQL for code scanning

• Introduce a CodeQL analysis workflow to a repository:
  There's 3 ways to use CodeQL within a GitHub repository (or 2? I'm not sure if CodeQL CLI would count as an workflow, but anyway). Default setup, Advanced setup and third party tools. The first two ways you can configure directly in GitHub, in the Settings tab. For third party tools, you can install the CodeQL CLI locally, run your analysis and then upload the results for a repository.
• List the locations in which CodeQL queries can be specified for use with code scanning:
  Let's go:
  • Directly in the workflow file codeql.yml
  • In a .ql file and reference it in the workflow file (local or remote)
  • In a query suite, and reference the query suite in the workflow file (also local or remote).

Note

Did I forget any location? 😅

• Configure the language matrix in a CodeQL workflow:
  The language matrix is (literally) a matrix you can use to configure the programming languages that you want CodeQL to scan. You can define right in the workflow file or in the config file (I believe). If your project uses more than one language, you can configure the language and its build mode. By using the language matrix, you optimize the analysis by allowing CodeQL to execute parallel runs for each language. The syntax is similar to this:

matrix:
    include:
    - language: java-kotlin
      build-mode: none 

• Reference a CodeQL query from a public repository within a code scanning workflow:
  In the workflow, you can reference the query .ql file in the config property of CodeQL Action using the sintax OWNER/REPOSITORY/FILENAME@BRANCH.

- name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: ${{ matrix.language }}
      config: |
        queries:
          - uses: salgado2004/template-repo/example-query.ql@main

• Reference a CodeQL query from a private repository within a code scanning workflow:
  With private repositories is very similar, but you need to include a special token that grants access to the repository.

- name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: ${{ matrix.language }}
      external-repository-token: ${{ secrets.ACCESS_TOKEN }}
      config: |
        queries:
          - uses: salgado2004/template-private-repo/example-query.ql@main

• Reference a CodeQL query from a local directory within a code scanning workflow:
  In the workflow, you can add the relative path of the query .ql file in the config property of CodeQL Action.

- name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: ${{ matrix.language }}
      config: |
        queries:
          - uses: ./queries/example-query.ql

• Reference a configuration file within the same repository:
  The configuration file is also similar to the queries. In the workflow, you can add the relative path of the custom config file in the config property of CodeQL Action.

- name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: ${{ matrix.language }}
      config: |
        queries:
          - uses: ./.github/codeql/codeql-config.yml

• Reference a configuration file in a remote public repository:
  And to reference config files from external repositories, it is the same logic.

- name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: ${{ matrix.language }}
      config: |
        queries:
          - uses: salgado2004/template-repo/codeql-config.yml@main

Note

If you want to reference private repositories, don't forget to add external-repository-token: ${{ secrets.ACCESS_TOKEN }} 😉

• Execute code scanning with the CodeQL command-line interface (CLI), including creating the CodeQL database, analyzing that database, and posting the SARIF results to GitHub:
  Ok, so this is a little bit complex (at least for me), but here we go. Using the CLI, the analysis require some steps<sup>2</sup>. They are:
  1. Create the database, using the command codeql database create <database> --language=<language-identifier> (You can define more parameters according to your needs)
  2. Then, you create your queries in .ql files. Once you created them, run the command codeql database run-queries.
  3. After you run the queries, you need to interpret the results. You can do that with codeql database interpret-results (if your queries meet the requirements for being interpreted as source-code alerts) or codeql bqrs decode (that only convert the results to readable notation).
  4. Finally, you can upload the interpreted results to GitHub executing the command codeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>... (to work properly, you must provide a GitHub access token)
• Contrast the steps to execute code scanning in GitHub Actions vs the CodeQL CLI:
  Both methods are efficient to analyse your code and generate security alerts, but each one serve different purposes. Code Scanning in GitHub Actions provides automation to configure your CodeQL environment once and schedule your workflow to run anytime your want, or trigger your workflow to run when you push something to the branch. Code Scanning in CodeQL CLI is more manual, but also more customizable (?? I'm not thaat sure) in the way that you can manage your code database and the language extractors configuration. You can also use the CLI with the VS Code extension, so it's useful to integrate in the local development.

Describe how to triage code scanning results from CodeQL analysis

• Describe how to view code scanning results from CodeQL analysis:
  With CodeQL CLI, you can configure the query interpreted results to be in different formats, you can also visualize the results in the CodeQL Extension in VS Code (I need to get it). You can also control how you see the results modifying the select statement in the query<sup>3</sup>, making it clear and easy to you.
• Troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in the CodeQL workflow:
  If you're having problems with your CodeQL analysis, you can configure debug in your code scanning workflow. It will generate and upload useful artifacts, like CodeQL logs, CodeQL databases, that can help you understand what's wrong. If you use CodeQL extension for VS Code, you can see the logs in the VS Code terminal.
• Follow the data flow through code using the show paths experience:
  The data flow is a feature that helps following the data through the application, and identifying possible leaks and entry points for malicious "attackers" (is that a word? I'm not sure). It literally shows how data moves through your code (it's a pretty cool feature).
• Explain the reason for a code scanning alert given documentation linked from the alert:
  It's useful to help the developers understanding what the alerts is about and how to fix it. The severity of the problem, its nature, how to fix it, are important informations to plan how to act on the alert.
• Determine if and why a code scanning alert needs to be dismissed:
  There are different reasons for why you would dismiss a code scanning alert. Some of them are:
  • The code is not used for production, only testing.
  • The cost of fixing is greater than the benefits
    When you dismiss a code scanning alert, it's marked as closed and doesn't appear again in the following scans, but you can reopen it if it's necessary.

Warning

Always pay attention before dismissing alerts, to avoid vulnerabilities. Whenever you dismiss a security alert you need to provide a reason, that is registered.

• Describe potential shortfalls in CodeQL via model of compilation and language support:
  One potential shortfall in CodeQL happens during the creation of the code database. For compiled supported languages, CodeQL needs to build the project during the extraction. If your project uses more than one compiled language and you're not using a language matrix, CodeQL will try to build the language with more source-files in the project using the autobuild setup and, most likely, will fail. This happens because autobuild will try to detect the most suitable method for build and extraction, which depends a lot from project to project. To avoid that, it is recommended to configure build steps for your project.
• Optimize CodeQL analysis runtimes:
  There are some "tricks" you can use to optimize the analysis.
  • By default, (also in the default setup) CodeQL runs sequentially each programming language in the project, which can increase the time spent to run the analysis. To improve this you can define a language matrix with the advanced setup. With the language matrix, CodeQL is able to run each language in parallel, and run only the languages defined in the matrix.
  • If your project has test folders, documentation folders, storybooks, you can exclude them from the analysis. You can do this in the workflow file or the config file, using the syntax:

paths-ignore:
  - '**/*.test.js'

Use third-party tools with code scanning

• Explain how to upload 3rd party SARIF results via the SARIF endpoint:
  When you run a code analysis using 3rd party tools, the results can be whatever format you specify. But, to upload the results to GitHub, the SARIF results must follow a specific format supported by GitHub (Today 20/09/2024, it is a subset of the SARIF 2.1.0 JSON schema).
  Another point you need to pay attention is the "id" of your results. The SARIF schema has a property called partialFingerprints that GitHub uses to identify the results and match them across the code. Without this property, you might see duplicate alerts when code-scanning alerts are processed.
• Explain the purpose of defining a SARIF category:
  In my understanding, the category in the SARIF file is useful to organize your different analysis for the same "commit repository". If you don't include categories, each analysis would overwrite the last one (And if you use the same category, they will also overwrite).
  So it's useful when you want to run the analysis for different languages in the repository, or using more than one tool that generates SARIF files to compare the results.

Answers of the prep questions

1. B In the .github/ directory
2. A To initialize the CodeQL tools for scanning
3. C Default and Advanced
4. C It identifies potential security vulnerabilities

Have a great weekend guys

Footnotes

1. For those who don't know (like me) Expressions are snippets of code that are evaluated to a value
   ex: a + b; 1 * 5;.
   Statements are logic snippets that control the flow of the program
   ex: if (a < b); for(let a of [1, 2,3]) ↩

2. Tip: There's another command you can use to sum up the steps 2 and 3. If your queries meet the requirements for being interpreted as source-code alerts, you can run codeql database analyze --format=<format> ---output=<output> with different arguments to execute your analysis. ↩

3. But remember, if you want to upload to GitHub, the selects must follow an specific format. ↩

[geopd]

1. B
2. A
3. C
4. C

[queenofcorgis]

The answers are... click details to reveal them!

Question One: Where can you find the codeql.yml workflow file in your repository?

B) In the .github/ directory

Question Two: What is the purpose of the codeql.yml workflow file in CodeQL advanced setup?

A) To initialize the CodeQL tools for scanning

Question Three: What are the two options available when setting up CodeQL for the first time?

C) Default and Advanced

Question Four: What is the main benefit of using CodeQL for security analysis?

C) It identifies potential security vulnerabilities

[queenofcorgis]

@profile-palash you inspired me with your formatting 😃

[profile-palash]

@queenofcorgis
Haha, Thanks for the kind words 😊

[juanlujand]

Question One: Where can you find the codeql.yml workflow file in your repository?

B) In the .github/ directory

Question Two:
What is the purpose of the codeql.yml workflow file in CodeQL advanced setup?

A) To initialize the CodeQL tools for scanning

Question Three: What are the two options available when setting up CodeQL for the first time?

C) Default and Advanced

Question Four: What is the main benefit of using CodeQL for security analysis?

C) It identifies potential security vulnerabilities

[queenofcorgis]

Come join us in our final portion's discussion so you can finish preparing for the GitHub Certification GHAS Exam!

[Yordan-Ramchev]

1. B) In the .github/ directory
2. A) To initialize the CodeQL tools for scanning
3. C) Default and Advanced
4. C) It identifies potential security vulnerabilities