- Notifications
You must be signed in to change notification settings - Fork0
Github Action that run a CodeQL security scan and generate a markdown report
License
Vedza/codeql-security-report
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This action will run CodeQL rules on files in$GITHUB_WORKSPACE and checks for security issues. A markdown report is generated with the results and available in$CODEQL_MD
Here is an action that will run on every pull request, scan all the files and post the result in a comment:
name:CodeQL Security Scanon:[pull_request]jobs:build:runs-on:ubuntu-latestenv:LANGUAGE:javascriptsteps: -uses:actions/checkout@v2 -name:Run CodeQL scanuses:themenu/codeql-security-report@master -name:Comment PRuses:thollander/actions-comment-pull-request@masterwith:message:| ${{ env.CODEQL_MD }}GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}
Here is an action that will run on every pull request, scan only the files edited in the PR and post the result in a comment:
name:CodeQL Security Scanon:[pull_request]jobs:build:runs-on:ubuntu-latestenv:LANGUAGE:javascriptsteps: -uses:actions/checkout@v2 -name:Get changed filesid:changed-filesuses:tj-actions/changed-files@v13.1 -name:Delete unedited filesid:deletecontinue-on-error:truerun:| for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do edited="$edited ! -name ${file##*/}" done edited="${edited:1}" find $GITHUB_WORKSPACE $edited -type f -exec rm -f {} + ls -R $GITHUB_WORKSPACE if [[ "$edited" == *".js"* ]]; then exit 0 fi exit 1 -name:Run CodeQL scanif:steps.delete.outcome == 'success'uses:vedza/codeql-security-report@master -name:Comment PRif:steps.delete.outcome == 'success'uses:thollander/actions-comment-pull-request@mainwith:message:| ${{ env.CODEQL_MD }}GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}
The docker image of this action is based onmcr.microsoft.com/cstsectools/codeql-container. But because of some issue, I had to build my own imagevedza/codeql-github-action, which use the same Dockerfile asmcr.microsoft.com/cstsectools/codeql-container.
So when the base image is updated, we will need to update the docker image to use the latest microsoft image.
Our image run our script that scan and generate the markdown report only if no$CODEQL_CLI_ARGS is passed in env.
So you can still use this image the same way asmcr.microsoft.com/cstsectools/codeql-container to run CodeQL queries if you want.
If you want to skip test on some files or vulnerabilities, you can add path and/or vulnerabilityid in a.sastignore file in the root of your project.
The security report is available in$CODEQL_MD as markdown.It contains security issues split by priority, and issues in each priority level are sorted by score.You can click on the file URL to see the exact piece of code causing the security issue.
Here is an example of what the markdown report look like forNodeGoat:
NodeGoat
Uncontrolled data used in network request
Score:9.1Definition:Sending network requests with user-controlled data allows for request forgery attacks.ID:js/request-forgery
| Title | File | Precision |
|---|---|---|
| The URL of this request depends on a user-provided value | example/NodeGoat/app/routes/research.js | Medium |
Log injection
Score:7.8Definition:Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user.ID:js/log-injection
| Title | File | Precision |
|---|---|---|
| User-provided value flows to log entry | example/NodeGoat/app/routes/session.js | Medium |
Inefficient regular expression
Score:7.5Definition:A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.ID:js/redos
| Title | File | Precision |
|---|---|---|
| This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0' | example/NodeGoat/app/routes/profile.js | High |
Polynomial regular expression used on uncontrolled data
Score:7.5Definition:A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks.ID:js/polynomial-redos
| Title | File | Precision |
|---|---|---|
| This regular expression that depends on a user-provided value may run slow on strings with many repetitions of '0' | example/NodeGoat/app/routes/profile.js | High |
Uncontrolled data used in path expression
Score:7.5Definition:Accessing paths influenced by users can allow an attacker to access unexpected resources.ID:js/path-injection
| Title | File | Precision |
|---|---|---|
| This path depends on a user-provided value | example/NodeGoat/app/routes/index.js | High |
Code injection
Score:6.1Definition:Interpreting unsanitized user input as code allows a malicious user arbitrary code execution.ID:js/code-injection
| Title | File | Precision |
|---|---|---|
| User-provided value flows to here and is interpreted as code | example/NodeGoat/app/data/allocations-dao.js | High |
| User-provided value flows to here and is interpreted as code | example/NodeGoat/app/routes/contributions.js | High |
| User-provided value flows to here and is interpreted as code | example/NodeGoat/app/routes/contributions.js | High |
| User-provided value flows to here and is interpreted as code | example/NodeGoat/app/routes/contributions.js | High |
Server-side URL redirect
Score:6.1Definition:Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.ID:js/server-side-unvalidated-url-redirection
| Title | File | Precision |
|---|---|---|
| Untrusted URL redirection due to user-provided value | example/NodeGoat/app/routes/index.js | High |
DOM text reinterpreted as HTML
Score:6.1Definition:Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.ID:js/xss-through-dom
| Title | File | Precision |
|---|---|---|
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| DOM text is reinterpreted as HTML without escaping meta-characters | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
Unsafe jQuery plugin
Score:6.1Definition:A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.ID:js/unsafe-jquery-plugin
| Title | File | Precision |
|---|---|---|
| Potential XSS vulnerability in the '$fntooltip' plugin | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| Potential XSS vulnerability in the '$fncollapse' plugin | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| Potential XSS vulnerability in the '$fnscrollspy' plugin | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |
| Potential XSS vulnerability in the '$fnscrollspy' plugin | example/NodeGoat/app/assets/vendor/bootstrap/bootstrap.js | High |