Search code examples
pre-commit-hookpre-commitcodeqlsast

running precommit hooks with codeql/GHAS sast scans?

I'm just getting started with CodeQL and we have a requirement from our devs to CodeQL sast scans as precommit hooks. I could not find any docs on how to set up CodeQL to make it run on my machine.

Additional context (to answer questions below):

  1. Devs will not have CodeQL installed on their laptops (windows and mac)
  2. I would like to also automate the installation of CodeQL CLI
  3. reading the docs, looks like I also need a CodeQL database- can that setup be automated?

In essense, I would like to make the install "almost" transparent to the devs with minimal effort needed on their side.

Solution

  • Similar to your other question, this is probably not possible (but in doubt contact GitHub Enterprise support).

    A few potential issues:

    • The CodeQL license only allows usage for open source projects and academic research, for commercial use contact the GitHub sales team.
    • CodeQL analysis is performed on a CodeQL database created for the project. That database is created by building the complete project or parts of it, and has to be repeated for every change you make to your project. Incremental creation of databases is currently not possible. Typically this is also slower than a normal build without CodeQL of a project.
      The time needed to create a database is probably unacceptable for usage as pre-commit hook.
    • CodeQL analysis is performed for the complete database, even if you only changed a few lines in your project. There is research happening to support incremental analysis, but this is currently not available yet.
      The time needed to perform a full analysis of the database is therefore probably also unacceptable for usage as pre-commit hook.
    • CodeQL CLI binaries are currently only published on GitHub and as GitHub workflow action. They are (to my knowledge) not published to any Linux package repositories or similar. So you would have to handle installation and updating of CodeQL CLI yourself.

    If you are creating an open source project on GitHub, or if your company is using GitHub for development, then it would be easiest to setup code scanning with CodeQL, instead of trying to set up something locally.