Skip to content

feat: SAST — application source code deep scan (PR/CI) #19

Description

@ms280690

Context

Stage: PR / CI
Tool: codeql
Scope: Application source code — frontend (JS/TS) and backend (Python, Go, Java, Ruby, C#, Kotlin, Swift)
Parent: (see SAST parent issue)

IaC and Helm/Kustomize are out of scope for Step 4 SAST. codeql does not support Terraform or Helm. IaC security scanning is in Step 17 (checkov) and linting issues #10, #11.

Why codeql

At PR/CI the goal is deep semantic analysis that catches what pattern-matching tools (semgrep, pre-commit #18) cannot:

  • Taint analysis: tracks user-supplied data from entry point (HTTP request, file input) through transformations to a sink (SQL query, shell command, HTML output) — finds injection vulnerabilities that span multiple files and function calls
  • Data-flow analysis: identifies paths where unsanitised data reaches security-sensitive operations
  • GitHub-native: runs as a GitHub Actions workflow, results post inline to PR via the GitHub Security tab (SARIF) — zero additional infrastructure
  • Free for private repos via GitHub Advanced Security (included with GitHub Team/Enterprise, or available as a paid add-on)
  • Language-agnostic for supported languages: same workflow config handles JS/TS, Python, Go, Java, Ruby, C#, Kotlin, Swift — auto-detected from repo content

sonarqube (the alternative) requires a self-hosted instance. coderabbit is an AI reviewer that complements but does not replace data-flow analysis — include it as an optional enhancement in consuming repos via coderabbit.yml. semgrep in CI is faster but shallower; use it at pre-commit (#18) and let codeql do the deep work at PR.

Reusable workflow — sast-scan.yml

name: SAST Scan
on:
  workflow_call:
    inputs:
      languages:
        description: 'Comma-separated CodeQL language identifiers. Leave empty for auto-detect.'
        default: ''
        type: string
      queries:
        description: 'CodeQL query suite: security-extended | security-and-quality | default'
        default: 'security-extended'
        type: string

Consuming repo usage

# .github/workflows/sast.yml
name: SAST
on: [pull_request]
jobs:
  codeql:
    uses: sparkgeo/github-actions/.github/workflows/sast-scan.yml@main
    with:
      queries: security-extended
    permissions:
      security-events: write   # required to upload SARIF
      actions: read
      contents: read

Auto-detect languages

When languages input is empty, the workflow detects languages from the repo. For explicit override (e.g., monorepo with mixed stacks):

with:
  languages: 'python,javascript'

Supported language identifiers: cpp, csharp, go, java-kotlin, javascript-typescript, python, ruby, swift

Query suites

Suite What it covers Recommended for
security-extended OWASP Top 10 + extended CWE coverage Default — covers the most security-relevant CWEs
security-and-quality Security + code quality (dead code, error handling) Repos adopting quality gates via sonarqube (#20)
default Core security queries only Fast scan; use when pipeline time is constrained

Gate behaviour (§5.5 alignment)

Finding severity PR behaviour
Critical / High (production code path) Blocks merge via GitHub required status check
Medium Warning — visible in Security tab, non-blocking
Low / Informational Surfaced in Security tab only

Use // lgtm or @github-actions github-actions bot dismissal for accepted-risk findings — these are auditable in the GitHub Security tab.

CodeRabbit (complementary, optional)

coderabbit is an AI PR reviewer that ingests codeql findings and generates inline fix suggestions. It does not replace codeql but reduces time-to-fix by providing context-aware remediation guidance directly on the PR diff. Add it to consuming repos via a separate coderabbit.yml config file. See Step 4 notes in secops.md for the self-hosting option for HIPAA/PCI-DSS environments.

Metadata

Metadata

Assignees

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions