As devs, infrastructure developers, and DevOps professionals, testing code is crucial. It's literally the difference between bug-filled code or code that doesn't work and production-ready code. Another form of testing is static code analysis, which is a way to test code without actually running it. Think of it like a code-quality scanner to see what bugs/issues the code may have before running it.

One thing that static code analysis never exactly had was security scanning. When an organization is shifting left with security, it's important to understand where code stands. GitHub has bridged the gap with Code Scanning, which is a security static code analyzer.

Code Scanning is currently in preview.

Prerequisites

To use code scanning, you will need the following:

  1. A GitHub account, which you can sign up for free here.
  2. A working knowledge of GitHub and source control.
  3. Access to the beta program. You can put yourself on the list here.

Enabling Code Scanning

If a GitHub account is enrolled in the code scanning beta, the GitHub account still needs to enable code scanning. Otherwise, it will be off by default. In this section, you'll learn how to do just that.

Open up a web page and log into GitHub and go to Repositories.

Once you're logged into GitHub, go to a GitHub repository and click Security. For example, in the screenshot below, this blog post is using the AzureAPI Python Flask project found here.

Under Security, you will see an option for Code scanning alerts. Click on Set up code scanning to turn on code scanning.

Code scanning is now enabled.

Setting up a Code Scanning Workflow

In the previous section, you learned how to enable the code scanning features. Because this feature is still in beta, not everyone will see it in their GitHub account nor will it be on by default.

Now that code scanning is turned on, it's time to enable a workflow.

On the Code scanning alerts tab from the previos section, click on Set up the workflow under CodeQL Analysis.

You will be presented with a default GitHub Actions workflow. Below is the workflow that has been customized to run for Python code, per the code being used in the AzureAPI repository.

name: "Test Python Code"

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  analyse:
    name: Analyse
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        fetch-depth: 2
        
    - run: git checkout HEAD^2
      if: ${{ github.event_name == 'pull_request' }}

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: python

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1

Once the above code is added in, or if you decide to use the default workflow, click the green Start commit button.

Choose to commit the workflow directly to master and click the green Commit new file button.

The workflow will now be added.

Checking on the GitHub Actions Workflow

Now that the workflow is committed to master, the Action will automatically commence.

Click on the Actions button to see the action running.

You will be able to see the action running and the workflow, which is called Test Python Code.

Click on the workflow and you will see that the workflow is in progress. To see the steps running in the workflow, click Analyse.

You can now see the running GitHub Action and the steps that are being taken to run security static code analysis on the Python code.

Congrats! You have successfully set up and ran a code scan in GitHub!

Conclusion

One of the components we've been missing in any code analysis tool for a long time is security. When you and/or an organization are shifting left and really thinking about implementing security best practices, the best possible thing you can do with application security is starting at the code level.

In this blog post, you learned how to set up code scanning in GitHub, one of the newest beta features.