GitHub's Product Security Engineering Team: Secures GitHub's code by developing tools like CodeQL. They share insights on using CodeQL to protect other organizations' codebases.

• CodeQL Overview: Enables automated security analyses by querying code like a database. It's more effective than text-based searches and can detect hidden vulnerabilities.

Using CodeQL at GitHub:

• Standard Configuration: Uses default and security-extended query suites for most repositories to automatically review pull requests for security.
• For Large Ruby Monolith: Uses custom query packs tailored to specific needs and multi-repository variant analysis.

Challenges and Solutions:

• Custom Query Publishing: Initially published directly in repositories, but faced challenges like production deployment, slower CI, and CLI updates. Transitioned to GitHub Container Registry (GCR) to streamline, improve maintainability, and reduce friction.
• Query Stability: Writes unit tests for new queries and integrates them into the CI pipeline. Manages versioning through GCR to balance development flexibility and stability.
• Repository Integration: Depends on the organization's deployment strategy. The security team manages versioning through GCR to allow automatic use of the latest version and quick rollback if needed.
• Query Pack Accessibility: Ensured accessibility across multiple repositories in the organization by implementing the linked repository approach.