aegilops :github::microsoft: · @aegilops
160 followers · 606 posts · Server fosstodon.org

I've had my first :github: CodeQL query merged into the experimental section of the official CodeQL rules!

lnkd.in/dk_tTiQZ (and a "local" variant, lnkd.in/dP88QJwa).

That's query ids java/command-line-injection-extra and java/command-line-injection-extra-local

They spot something the existing :java: command injection query does, but in a way that's more robust to unusual code.

It’s an edge case, but one that was important to a customer.

#CodeQL #sast #java #commandinjection

Last updated 1 year ago

aegilops :github::microsoft: · @aegilops
146 followers · 560 posts · Server fosstodon.org

Microsoft :microsoft: have an open job for a Security Program Manager for Open Source.

“Help us solve open source security challenges at scale, both for the company and the world. If you live at the intersection of open source, software engineering, security, and making things happen, please take a look… [It] is US-based, but…up to 100% remote”

jobs.careers.microsoft.com/glo

#jobs #sdlc #appsec #opensource #OpenSSF #security #CodeQL

Last updated 1 year ago

· @linkdrop
53 followers · 1909 posts · Server botsin.space
aegilops :github::microsoft: · @aegilops
134 followers · 483 posts · Server fosstodon.org

:github: is looking for projects to try out the upcoming Swift support in code scanning.

Sign up here:

github.com/github/codeql/discu

You’ll be able to get access to the new CodeQL-powered static source code analysis before it ships to everyone else.

#swift #opensource #github #swiftlang #iosdev #sast #securecoding #devsecops #CodeQL #betatesting #privatebeta #mobiledev

Last updated 2 years ago

aegilops :github::microsoft: · @aegilops
134 followers · 483 posts · Server fosstodon.org

:github: is looking for projects to try out the upcoming Swift support in code scanning.

Sign up here:

github.com/github/codeql/discu

You’ll be able to get access to the new CodeQL-powered static source code analysis before it ships to everyone else.

#swift #opensource #github #swiftlang #iosdev #sast #securecoding #devsecops #CodeQL #betatesting #privatebeta #mobiledev

Last updated 2 years ago

Vincent Biret · @vincentbiret
32 followers · 147 posts · Server hachyderm.io

zero to hero part 1: the fundamentals of static analysis for vulnerability research github.blog/2023-03-31-codeql-

#CodeQL

Last updated 2 years ago

aegilops :github::microsoft: · @aegilops
126 followers · 470 posts · Server fosstodon.org

I open sourced a tool to create lists of repos to run GitHub CodeQL’s Multi-Repository Variant Analysis on, using a keyword search on GitHub.

It's a Bash script you can trigger with a VSCode build task. It uses the GitHub API (via the GitHub CLI) to fill a list in the VSCode settings.

It’s a stopgap before this sort of feature makes it into the product.

github.com/advanced-security/m

#mrva #variantanalysis #CodeQL #github #vscode #buildtask #sast #vulnerabilityresearch

Last updated 2 years ago

Beth Pariseau · @BPariseau
282 followers · 79 posts · Server hachyderm.io
aegilops :github::microsoft: · @aegilops
118 followers · 432 posts · Server fosstodon.org

You can now run a single static analysis query across thousands of repos on GitHub using CodeQL's MRVA (Multi-repo Variant Analysis).

That's great both for security research and rapidly auditing exposure to a single vuln or weakness for security teams.

It works from the CodeQL extension for VSCode, with open source public repos & private repos where CodeQL Code Scanning is enabled.

github.blog/2023-03-09-multi-r

#github #securityresearch #vulnerabilityresearch #CodeQL #variantanalysis #mrva #sast

Last updated 2 years ago

Arjun G · @247arjun
107 followers · 162 posts · Server infosec.exchange

🤯

can generate a (roughly) equivalent rule for a given rule. That's NUTS!

#chatgpt #CodeQL #semgrep

Last updated 2 years ago

0xbadc0fee · @0xbadc0fee
14 followers · 14 posts · Server infosec.exchange

Simultaneously loving and hating . Just as I'm starting to get the hang of , github goes and does a on me. Great tool, just steep learning curve getting it working with manually built binaries.

#CodeQL #github #holdmybeer

Last updated 2 years ago

Ain Tohvri · @tekkie
484 followers · 736 posts · Server mstdn.social

Turns out does not support in its and analysis tool yet. 🦀

#Security #CodeQL #rustlang #GitHub

Last updated 2 years ago

Sim4n6 · @sim4n6
13 followers · 17 posts · Server infosec.exchange

In case a data flow is broken 💔 between the src & the sink, please consider debugging the query using partial paths. A very high ROI article by @geekmasher geekmasher.dev/sast/codeql/22-

#CodeQL

Last updated 2 years ago

Remco Vermeulen · @rvermeulen
15 followers · 3 posts · Server infosec.exchange

CodeQL path graphs are a useful aid in program understanding. In the following blog I discuss how they work and how you can create your own. mechanicalsympathy.nl/posts/co

#CodeQL #securityresearch #codereview

Last updated 2 years ago

Knomfr · @stuartdi
38 followers · 165 posts · Server ioc.exchange

#CodeQL

Last updated 2 years ago

aegilops :github::microsoft: · @aegilops
80 followers · 282 posts · Server fosstodon.org

It's now easier to get set up with CodeQL code security analysis on GitHub :github: (which is free for public repos).

For Python :python:, JavaScript :javascript:, TypeScript :typescript: and Ruby :ruby: there's now a quick "default setup" that gets you started without creating an Actions workflow file.

bleepingcomputer.com/news/secu

#github #sast #CodeQL #python #javascript #ruby

Last updated 2 years ago

Knomfr · @stuartdi
37 followers · 159 posts · Server ioc.exchange

(Posting this as a reminder to self) looks like a fun project to follow along with on my next off-day frycos.github.io/vulns4free/20
An article from the Frycos security diary using CodeQL to look at pgAdmin which apparently can be run in a server mode.

#CodeQL

Last updated 2 years ago

Marco Ivaldi · @raptor
1515 followers · 634 posts · Server infosec.exchange
Remco Vermeulen · @rvermeulen
15 followers · 3 posts · Server infosec.exchange

I wrote a blogpost on how you can benefit from using CodeQL during a security code review and how CodeQL can benefit from the things you learn. Let me know what you think.

mechanicalsympathy.nl/posts/se

#applicationsecurity #CodeQL #codereview

Last updated 2 years ago

Astra Kernel :verified: · @AstraKernel
662 followers · 696 posts · Server infosec.exchange

Using CodeQL to do security audit on Nodejs + GraphQL project by @LiveOverflow

▶️ CodeQL, Code analysis engine developed by GitHub to automate security checks

youtu.be/VrF1RwnJzBk

#CodeQL #appsec #websec #infosec

Last updated 2 years ago