GitHub's Product Security Engineering Team: Secures GitHub's code by developing tools like CodeQL. They share insights on using CodeQL to protect other organizations' codebases.
- CodeQL Overview: Enables automated security analyses by querying code like a database. It's more effective than text-based searches and can detect hidden vulnerabilities.
Using CodeQL at GitHub:
- Standard Configuration: Uses default and security-extended query suites for most repositories to automatically review pull requests for security.
- For Large Ruby Monolith: Uses custom query packs tailored to specific needs and multi-repository variant analysis.
Challenges and Solutions:
- Custom Query Publishing: Initially published directly in repositories, but faced challenges like production deployment, slower CI, and CLI updates. Transitioned to GitHub Container Registry (GCR) to streamline, improve maintainability, and reduce friction.
- Query Stability: Writes unit tests for new queries and integrates them into the CI pipeline. Manages versioning through GCR to balance development flexibility and stability.
- Repository Integration: Depends on the organization's deployment strategy. The security team manages versioning through GCR to allow automatic use of the latest version and quick rollback if needed.
- Query Pack Accessibility: Ensured accessibility across multiple repositories in the organization by implementing the linked repository approach.
- Custom Queries: The team writes various custom queries to enhance security analysis, focusing on high-risk APIs, secure coding practices, and missing authorization controls. Some are educational with lower severity levels.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。