Welcome to the Code Scanning Java Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains SQL injection vulnerability for demonstration purpose.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
You can use code scanning with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.
This tutorial with use CodeQL Analysis with Code Scanning in order to search for vulnerabilities within your code.
Enable Code Scanning
Click on the Security
tab.

Click Set up code scanning
.

Click the Setup this workflow
button by CodeQL Analysis.

This will create a GitHub Actions Workflow file with CodeQL already set up. Since Java is a compiled language you will need to setup the build in later steps. See the documentation if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.
Actions Workflow file
The Actions Workflow file contains a number of different sections including:
- Checking out the repository
- Initializing the CodeQL Action
- Running Autobuilder (or code your own build steps if autobuild doesn't work)
- Running the CodeQL Analysis

Click Start Commit
-> Commit this file
to commit the changes to main branch.
Workflow triggers
There are a number of events that can trigger a GitHub Actions workflow. In this example, the workflow will be triggered on

- push to main branch
- pull request to merge to main branch
- on schedule, at 6:33 every Thursday
Setting up the new CodeQL workflow and committing it to main branch in the step above will trigger the scan.
GitHub Actions Progress
Click Actions
tab -> CodeQL
Click the specific workflow run. You can view the progress of the Workflow run until the analysis completes.

Security Issues
Once the Workflow has completed, click the Security
tab -> Code Scanning Alerts
. An security alert "Query built from user-controlled sources" should be visible.
Clicking on the security alert will provide details about the security alert including:
- A description of the issue
- A tag to the CWE that it is connected to as well as the type of alert (Error, Warning, Note)
- The line of code that triggered the security alert
- The ability to dismiss the alert depending on certain conditions (`False positive`? `Won't fix`? `Used in tests`?)

Click Show more
to view a full desciption of the alert including examples and links to additional information.


Show Paths
CodeQL Analysis is able to trace the dataflow path from source to sink and gives you the ability to view the path traversal within the alert.
Click show paths
in order to see the dataflow path that resulted in this alert.


Fix the Security Alert
TBD
Ready to talk about advanced security features for GitHub Enterprise? Contact Sales for more information!
Check out GitHub's Security feature page for more security features embedded into GitHub.
Check out the Code Scanning documentation for additional configuration options and technical details.