advanced-security-go

Begin by forking this repo.

Security tab

Click on the Security tab.

Set up code scanning

Click Set up code scanning.

Setup Workflow

Click the Set up this workflow button by CodeQL Analysis.

This will create a GitHub Actions Workflow file with CodeQL already set up. Go is a compiled language, so the autobuild step is automatically added to your Workflow file. Additional build configurations are documented in Configuring the CodeQL workflow for compiled languages documentation.

See the documentation if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.

Actions Workflow

The Actions Workflow file contains a number of different steps including:

1. Checking out the repository
2. Initializing the CodeQL Action
3. Building your project
4. Running the CodeQL Analysis

Click Start Commit -> Commit new file to commit the changes to main branch.

Workflow triggers

There are a number of events that can trigger a GitHub Actions workflow. In this example, the workflow will be triggered on

• push to main branch
• pull request to merge to main branch
• on schedule, at 4:31 every Saturday

Setting up the new CodeQL workflow and committing it to main branch in the step above will trigger the scan.

GitHub Actions Progress

Click Actions tab -> CodeQL

Click the specific workflow run. You can view the progress of the Workflow run until the analysis completes.

Once the Workflow has completed, click the Security tab -> Code scanning alerts. You will see 3 alerts titled "Database query built from user-controlled sources".

Security Alert View

Clicking on a security alert will provide details about the security alert including:

• A description of the issue
• A tag to the CWE that it is connected to as well as the type of alert (Error, Warning, Note)
• The line of code that triggered the security alert
• The ability to dismiss the alert depending on certain conditions (`False positive`? `Won't fix`? `Used in tests`?)

Security Alert Description

Click Show more to view a full desciption of the alert including examples and links to additional information.

Security Full Description

Show Paths Button

CodeQL Analysis is able to trace the dataflow path from source to sink and gives you the ability to view the path traversal within the alert.

Click Show paths to see the dataflow path that resulted in this alert.

Show Paths View

CodeQL has created alerts because our database query is using data supplied by users through the API. A bad actor could inject a SQL statement to the query parameter which would be executed directly against the database. To fix this, we need to parameterze our database query.

Click on the Code tab and edit the file models/models.go.

Within models.go, the lines 38, 57, and 76 contain the SQL injections. Remediate those vulnerabilities by following the in-line comments.

Click Create a new branch for this commit and start a pull request, name the branch fix-sql-injection, and create the Pull Request.

Pull Request Status Check

In the Pull Request, you will notice that the CodeQL Analysis has started as a status check. Wait until it completes.

Security Alert Details

After the Workflow has completed click on Details by the Code Scanning Results / CodeQL status check.

Fixed Alert

Notice that Code Scanning has detected that this Pull Request will fix the SQL injection vulnerabilities which were detected before.

Merge the Pull Request. After the Pull Request has been merged, another Workflow will kick off to scan the repository for any vulnerabilties.

Closed Security Alerts

After the final Workflow has completed, navigate back to the Security tab and click Closed. Notice that the Query built from user-controlled sources security alert now shows up as a closed issue.

Traceability

Click on the security alert and notice that it details when the fix was made, by whom, and the specific commit. This provides full traceability to detail when and how a security alert was fixed and exactly what was changed to remediate the issue.