GitHub CodeQL

github

Part of StackHawk’s official GitHub App integration.

Overview

StackHawk with GitHub helps teams find security issues in open-source dependencies and proprietary code before they hit production. View your GitHub CodeQL results, including the line of code, alongside your HawkScan findings. Teams use GitHub CodeQL to show where there may be a vulnerability then confirm it is exploitable and validate with a StackHawk HawkScan. Correlating the two scan result sets helps developers immediately prioritize issues then confirm, reproduce and fix them quickly and efficiently.

Features

  • Automatically link HawkScan Findings with GitHub CodeQL Issues whenever you scan your application.
  • Finding Details with linked CodeQL issues show where in the code the vulnerability was identified with links to GitHub for further information.

Requirements

You must have the official StackHawk GitHub app installed, with a repo mapped to the application you are trying to scan. The mapped repo must have CodeQL results.

For detailed installation and configuration docs, check out the main GitHub App page.

Usage

Once the GitHub Integration is installed and a StackHawk Application is connected to a GitHub repository, future scans will show findings correlated to CodeQL issues based on the CWE ID. When a StackHawk Application and a GitHub Repository with CodeQL findings are connected, HawkScan will link its Findings with correlated GitHub CodeQL Issues for all Environments in the given Application.

Application Badging

Applications mapped to a GitHub repository will have the logo under the name of the Application.

  Application GitHub Badging  

Scan and Finding List Badging

When viewing the Scan list or the list of Findings on a specific scan, a SAST column with be present. If this column has the GitHub logo, this means that there is a linked GitHub CodeQL Issue.

Scan List

  Scan List GitHub Badging  

Finding List

  Finding List GitHub Badging  

Finding Details GitHub CodeQL Tab

When looking at the details of a specific Finding that has a linked GitHub CodeQL Issue, the GitHub CodeQL tab will be displayed. It will have details on the GitHub CodeQL Issues, with links to GitHub for more information. Note that the GitHub CodeQL tab in Finding Details will show at most 15 instances of the found CodeQL Issue. The vulnerable line(s) of code along with a small amount of context will be displayed.

  Finding Details GitHub Tab  

TroubleShooting

If your scan results aren’t showing any linked GitHub CodeQL Issues and you are expecting them to, make sure you have connected a StackHawk Application and GitHub repository in the GitHub Integration.

CodeQL Issues will only be linked for scans run when an Application and Project are connected, there is no way to retroactively link past scans with GitHub CodeQL issues.

Currently, it’s not possible to select a single Environment under an Application to map to a GitHub repository. Mappings are done at the Application level and so all scans for all Environments in that Application will get Findings linked with GitHub CodeQL Issues.

Feedback

Have any suggestions, feature requests, or feedback to share? Contact StackHawk Support .