Context
Stage: PR / CI
Tool: codeql
Scope: Application source code — frontend (JS/TS) and backend (Python, Go, Java, Ruby, C#, Kotlin, Swift)
Parent: (see SAST parent issue)
IaC and Helm/Kustomize are out of scope for Step 4 SAST. codeql does not support Terraform or Helm. IaC security scanning is in Step 17 (checkov) and linting issues #10, #11.
Why codeql
At PR/CI the goal is deep semantic analysis that catches what pattern-matching tools (semgrep, pre-commit #18) cannot:
- Taint analysis: tracks user-supplied data from entry point (HTTP request, file input) through transformations to a sink (SQL query, shell command, HTML output) — finds injection vulnerabilities that span multiple files and function calls
- Data-flow analysis: identifies paths where unsanitised data reaches security-sensitive operations
- GitHub-native: runs as a GitHub Actions workflow, results post inline to PR via the GitHub Security tab (SARIF) — zero additional infrastructure
- Free for private repos via GitHub Advanced Security (included with GitHub Team/Enterprise, or available as a paid add-on)
- Language-agnostic for supported languages: same workflow config handles JS/TS, Python, Go, Java, Ruby, C#, Kotlin, Swift — auto-detected from repo content
sonarqube (the alternative) requires a self-hosted instance. coderabbit is an AI reviewer that complements but does not replace data-flow analysis — include it as an optional enhancement in consuming repos via coderabbit.yml. semgrep in CI is faster but shallower; use it at pre-commit (#18) and let codeql do the deep work at PR.
Reusable workflow — sast-scan.yml
name: SAST Scan
on:
workflow_call:
inputs:
languages:
description: 'Comma-separated CodeQL language identifiers. Leave empty for auto-detect.'
default: ''
type: string
queries:
description: 'CodeQL query suite: security-extended | security-and-quality | default'
default: 'security-extended'
type: string
Consuming repo usage
# .github/workflows/sast.yml
name: SAST
on: [pull_request]
jobs:
codeql:
uses: sparkgeo/github-actions/.github/workflows/sast-scan.yml@main
with:
queries: security-extended
permissions:
security-events: write # required to upload SARIF
actions: read
contents: read
Auto-detect languages
When languages input is empty, the workflow detects languages from the repo. For explicit override (e.g., monorepo with mixed stacks):
with:
languages: 'python,javascript'
Supported language identifiers: cpp, csharp, go, java-kotlin, javascript-typescript, python, ruby, swift
Query suites
| Suite |
What it covers |
Recommended for |
security-extended |
OWASP Top 10 + extended CWE coverage |
Default — covers the most security-relevant CWEs |
security-and-quality |
Security + code quality (dead code, error handling) |
Repos adopting quality gates via sonarqube (#20) |
default |
Core security queries only |
Fast scan; use when pipeline time is constrained |
Gate behaviour (§5.5 alignment)
| Finding severity |
PR behaviour |
| Critical / High (production code path) |
Blocks merge via GitHub required status check |
| Medium |
Warning — visible in Security tab, non-blocking |
| Low / Informational |
Surfaced in Security tab only |
Use // lgtm or @github-actions github-actions bot dismissal for accepted-risk findings — these are auditable in the GitHub Security tab.
CodeRabbit (complementary, optional)
coderabbit is an AI PR reviewer that ingests codeql findings and generates inline fix suggestions. It does not replace codeql but reduces time-to-fix by providing context-aware remediation guidance directly on the PR diff. Add it to consuming repos via a separate coderabbit.yml config file. See Step 4 notes in secops.md for the self-hosting option for HIPAA/PCI-DSS environments.
Context
Stage: PR / CI
Tool:
codeqlScope: Application source code — frontend (JS/TS) and backend (Python, Go, Java, Ruby, C#, Kotlin, Swift)
Parent: (see SAST parent issue)
Why codeql
At PR/CI the goal is deep semantic analysis that catches what pattern-matching tools (semgrep, pre-commit #18) cannot:
sonarqube(the alternative) requires a self-hosted instance.coderabbitis an AI reviewer that complements but does not replace data-flow analysis — include it as an optional enhancement in consuming repos viacoderabbit.yml.semgrepin CI is faster but shallower; use it at pre-commit (#18) and let codeql do the deep work at PR.Reusable workflow —
sast-scan.ymlConsuming repo usage
Auto-detect languages
When
languagesinput is empty, the workflow detects languages from the repo. For explicit override (e.g., monorepo with mixed stacks):Supported language identifiers:
cpp,csharp,go,java-kotlin,javascript-typescript,python,ruby,swiftQuery suites
security-extendedsecurity-and-qualitydefaultGate behaviour (§5.5 alignment)
Use
// lgtmor@github-actions github-actions botdismissal for accepted-risk findings — these are auditable in the GitHub Security tab.CodeRabbit (complementary, optional)
coderabbitis an AI PR reviewer that ingests codeql findings and generates inline fix suggestions. It does not replace codeql but reduces time-to-fix by providing context-aware remediation guidance directly on the PR diff. Add it to consuming repos via a separatecoderabbit.ymlconfig file. See Step 4 notes in secops.md for the self-hosting option for HIPAA/PCI-DSS environments.