HabrApr 30

[Перевод] Как GitHub использует CodeQL для обеспечения безопасности

Что происходит, когда GitHub берётся за собственную безопасность? Они пишут код для защиты кода — и активно используют для этого CodeQL. В этой статье команда Product Security Engineering рассказывает, как настроить масштабный автоматический анализ уязвимостей, зачем создавать свои пакеты запросов и как с помощью CodeQL находить ошибки, которые невозможно поймать обычным поиском по коду.

https://habr.com/ru/companies/otus/articles/905630/

#CodeQL #github #безопасность_кода #уязвимости #GitHub_Advanced_Security #пакет_запросов #вариантный_анализ #cicd #анализ_уязвимостей

Как GitHub использует CodeQL для обеспечения безопасности

В этой статье пойдёт речь о том, как команда Product Security Engineering в GitHub управляет внедрением CodeQL в масштабах всей компании — и как вы можете сделать...

Хабр
Hacker NewsMar 30

GitHub CodeQL Actions Critical Supply Chain Vulnerability (CodeQLEAKED)

https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/

#HackerNews #GitHub #CodeQL #CodeQLEAKED #SupplyChain #Vulnerability #CyberSecurity

CodeQLEAKED - Public Secrets Exposure Leads toSupply Chain Attack on GitHub CodeQL

An exposed GitHub token could have been used to launch a supply chain attack on GitHub CodeQL, resulting in source code exposure and repository tampering of CodeQL users.

Praetorian
Andrew Eisenberg 🍁🍁Mar 26

I worked on the remediation of this vulnerability. It’s not great that we let this slip through, and it took two weeks of work to verify that nothing bad had been leaked. But overall, it was a good process, the disclosure process made sure we fixed the bug quickly, and I learned a lot.

Also, the reporter walked away with a tidy sum of $$$.

https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/

#github #codeql #security

CodeQLEAKED - Public Secrets Exposure Leads toSupply Chain Attack on GitHub CodeQL

An exposed GitHub token could have been used to launch a supply chain attack on GitHub CodeQL, resulting in source code exposure and repository tampering of CodeQL users.

Praetorian
buheratorMar 8
Created a #CodeQL Cheat Sheet to document what I struggled with recently:

https://scrapco.de/codeql-cheat-sheet/cpp/cpp-conditionals-cfg/

Will push updates as they pop to my mind. Contributions/ideas are also most welcome!

https://github.com/v-p-b/codeql-cheat-sheet
C++ - Control-Flow of Conditionals - CodeQL Cheat Sheet

buheratorMar 7
I got badly nerd sniped by Qualys:

Dreams in #CodeQL - Quest for the Perfect GOTO

https://scrapco.de/blog/dreams-in-codeql-quest-for-the-perfect-goto.html
Lingua Diabolis | Dreams in CodeQL - Quest for the Perfect GOTO

Andrew Eisenberg 🍁🍁Jan 9

I'm pleased with how this turned out. For the past few months with a lot of other people, I've been working on making #GitHub #Actions workflows are more secure using CodeQL. Here are the results:

https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/

Now all public repositories on GitHub can opt in and make their code more secure with almost no effort.

#github #actions #security #CodeQL

How to secure your GitHub Actions workflows with CodeQL

In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.

The GitHub Blog
Marco IvaldiDec 24, 2024

Announcing #CodeQL Community Packs

https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/

Announcing CodeQL Community Packs

We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…

The GitHub Blog
CyberArkLabsOct 31, 2024

🔍Researcher Eviatar Gerzi uncovered 2 vulnerabilities in #Portainer! 🛡️

Learn how #CodeQL helped identify a blind SSRF and insecure encryption in this popular container management tool.

Read the full analysis here:

https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-vulnerabilities-in-portainer-with-codeql

Discovering Hidden Vulnerabilities in Portainer with CodeQL

Recently, we researched a project on Portainer, the go-to open-source tool for managing Kubernetes and Docker environments. With more than 30K stars on GitHub, Portainer gives you a user-friendly...

Vincent BiretSep 21, 2024
Now available for free on all public repositories: #Copilot Autofix for #CodeQL code scanning alerts · #GitHub https://github.blog/changelog/2024-09-18-now-available-for-free-on-all-public-repositories-copilot-autofix-for-codeql-code-scanning-alerts/
Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts · GitHub Changelog

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

The GitHub Blog
Francesco PiraSep 18, 2024

#GitHub made #Copilot Autofix for #CodeQL free for all public repositories

https://github.blog/changelog/2024-09-18-now-available-for-free-on-all-public-repositories-copilot-autofix-for-codeql-code-scanning-alerts/

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts · GitHub Changelog

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

The GitHub Blog