Integrating static analysis tooling (sast) into ci/cd pipelines has honestly never been easier. So let’s set up something really quick using Github Actions and CodeQL.

Here we’ve setup a “super secure” application, but before we deploy or check in code, we should probably setup automated sast scanning.

Navigating to the security tab, you should be able to see the button to setup code scanning.

Let’s add CodeQL! This is an AWESOME sast tool that allows for so much customization. Click the button to add it to your repo.

Here’s the .yml config which shows the out of the box configuration. It’s set to scan the main branch on push or pull requests.

Go ahead and commit the yml config and setup is done! This is just the default and out of the box config so this is barely scratching the surface. Below you see the jobs running.

You can see in the image below all the scans were automatically kicked off when a commit was pushed. Moving forward, all push and pull commits to the main branch will automatically be sast scanned.

And here’s the output of the results. Yay?