How to use official GitHub Actions workflow analysis queries with CodeQL CLI? #844
Answered
by
JarLob
nickossdev
asked this question in
Q&A
Replies: 1 comment
-
Hi,
Currently available queries for actions are these:
https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
https://github.com/github/codeql/blob/main/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql
https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/javascript/src/security/CWE-829/UnpinnedActionsTag.ql
The documentation on how to use codeql cli is located at
https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-single-query
…On Mon, Jul 29, 2024 at 4:36 AM nickossdev ***@***.***> wrote:
Using official GitHub Actions workflow analysis queries with CodeQL CLI
I'm trying to analyze my GitHub Actions workflow files for security issues
and best practices using the CodeQL CLI. I know there are official queries
for this purpose, but I'm having trouble finding clear documentation on how
to use them outside of GitHub's automated code scanning.
Specifically:
1. Where can I find the official CodeQL queries for analyzing GitHub
Actions workflows?
2. How can I use these queries with the CodeQL CLI to analyze my
workflow files locally?
3. Is there official documentation for this process?
Thanks
—
Reply to this email directly, view it on GitHub
<#844>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGLK53BJYHQLN542LZCWJDDZOWTBFAVCNFSM6AAAAABLTLVBDGVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE4DSMZYGM>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
nickossdev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Using official GitHub Actions workflow analysis queries with CodeQL CLI
I'm trying to analyze my GitHub Actions workflow files for security issues and best practices using the CodeQL CLI. I know there are official queries for this purpose, but I'm having trouble finding clear documentation on how to use them outside of GitHub's automated code scanning.
Specifically:
Thanks
Beta Was this translation helpful? Give feedback.
All reactions