Task Three: Run additional code-scanning queries
After the first set of queries which by default run the standard pack, revisit the codeql-analysis
configuraton file and add either security-extended
or security-and-quality
queries to expand the scope of the scan. Running Additional Queries
Why would you do this? The value is you can adjust what level of scans run on different "risk" acceptance in an application. For example, you may have an internal tool where the standard scan queries meet your risk level, as it isn't customer-facing. However, on the other hand, you may have a customer-facing, high-risk application where you are more cautious, and your tolerance of possible false positives are higher. In that case, you would utilize a different pack such as security-extended
or security-and-quality
.
This means that you no longer have to run the same scan for a proof of concept and a high-risk customer application!
Actions
An example of how you would do this is by adding the following:
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
queries: security-extended
Or
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
queries: security-and-quality
Specifcally, you are adding:
This is telling Code Scanning to run a different set of queries then the standard pack.
CodeQL CLI
Here is an example of how to set other query suite using the CodeQL CLI directly:
codeql database analyze ${CODEQL_DATABASE} ${LANGUAGE}-security-extended
or
codeql database analyze ${CODEQL_DATABASE} ${LANGUAGE}-security-and-quality