How to use official GitHub Actions workflow analysis queries with CodeQL CLI? #844

nickossdev · 2024-07-29T02:35:37Z

nickossdev
Jul 29, 2024

Using official GitHub Actions workflow analysis queries with CodeQL CLI

I'm trying to analyze my GitHub Actions workflow files for security issues and best practices using the CodeQL CLI. I know there are official queries for this purpose, but I'm having trouble finding clear documentation on how to use them outside of GitHub's automated code scanning.

Specifically:

Where can I find the official CodeQL queries for analyzing GitHub Actions workflows?
How can I use these queries with the CodeQL CLI to analyze my workflow files locally?
Is there official documentation for this process?

Thanks

Answered by JarLob

Jul 29, 2024

Hi, Currently available queries for actions are these: https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql https://github.com/github/codeql/blob/main/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/javascript/src/security/CWE-829/UnpinnedActionsTag.ql The documentation on how to use codeql cli is located at https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-single-query

View full answer

JarLob · 2024-07-29T11:11:06Z

JarLob
Jul 29, 2024
Maintainer

Hi, Currently available queries for actions are these: https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql https://github.com/github/codeql/blob/main/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/javascript/src/security/CWE-829/UnpinnedActionsTag.ql The documentation on how to use codeql cli is located at https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-single-query

…

On Mon, Jul 29, 2024 at 4:36 AM nickossdev ***@***.***> wrote: Using official GitHub Actions workflow analysis queries with CodeQL CLI I'm trying to analyze my GitHub Actions workflow files for security issues and best practices using the CodeQL CLI. I know there are official queries for this purpose, but I'm having trouble finding clear documentation on how to use them outside of GitHub's automated code scanning. Specifically: 1. Where can I find the official CodeQL queries for analyzing GitHub Actions workflows? 2. How can I use these queries with the CodeQL CLI to analyze my workflow files locally? 3. Is there official documentation for this process? Thanks — Reply to this email directly, view it on GitHub <#844>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGLK53BJYHQLN542LZCWJDDZOWTBFAVCNFSM6AAAAABLTLVBDGVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE4DSMZYGM> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to use official GitHub Actions workflow analysis queries with CodeQL CLI? #844

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to use official GitHub Actions workflow analysis queries with CodeQL CLI? #844

Uh oh!

nickossdev Jul 29, 2024

Using official GitHub Actions workflow analysis queries with CodeQL CLI

Replies: 1 comment

Uh oh!

JarLob Jul 29, 2024 Maintainer

nickossdev
Jul 29, 2024

JarLob
Jul 29, 2024
Maintainer