CodeQL Action v3 vs v2: What’s Changed?

in

First off, let me explain what a “CodeQL Action” is in case you haven’t heard of it before. It’s basically a fancy way of saying that CodeQL (which stands for “Code Query Language”) can be integrated with GitHub Actions to automatically scan your codebase and identify any potential security vulnerabilities or coding errors.

Now, the differences between v3 and v2. The main change is that in v3, you no longer need to install CodeQL CLI (which stands for “Command Line Interface”) on your machine because everything is now handled through GitHub Actions. This means less setup time and fewer headaches!

Here’s an example of how it works: let’s say you have a repository called “my-project” that contains some code with potential security vulnerabilities. You want to use CodeQL Action v3 to scan your codebase for any issues, so you create a new workflow file in the .github/workflows directory and add this line of code:

name: Scan Code for Vulnerabilities # Name of the workflow
on: push # Trigger the workflow when a push event occurs
jobs:
  scan-codeql: # Name of the job
    runs-on: ubuntu-latest # Specifies the operating system to run the job on
    steps:
      - name: Checkout repository # Name of the step
        uses: actions/checkout@v2 # Uses the checkout action to clone the repository
      - name: Set up Git LFS, if needed # Name of the step
        if: github.event_name == 'push' && contains(github.event.head_commit.message, 'LFSTAG') # Conditional statement to check if the push event contains a specific commit message
        run: |
          echo ::set-env name=GIT_LFS_SKIP_SMUDGE::true # Sets an environment variable to skip smudging
          git lfs install --skip-smudge # Installs Git LFS and skips smudging
      - name: Install CodeQL CLI # Name of the step
        uses: ebslackers/[email protected] # Uses the setup-codeql action to install the CodeQL CLI
      - name: Scan code for vulnerabilities # Name of the step
        run: |
          codeql scan . --output=json > results.json # Runs the CodeQL scan and outputs the results in JSON format to a file named results.json

This workflow will automatically trigger whenever you push a new commit to your repository, and it will use CodeQL Action v3 to scan your codebase for any issues. The output of the scan will be saved as a JSON file called “results.json” in your repository’s root directory.

That’s how CodeQL Action v3 works in a nutshell. It’s faster, easier to set up, and more reliable than its predecessor (v2), so if you haven’t tried it out yet I highly recommend giving it a spin!

SICORPS