Quickstart: Create a security scan GitHub workflow

In this quickstart, you will learn how to create a CodeQL GitHub workflow to automate the discovery of vulnerabilities in your .NET codebase.

In CodeQL, code is treated as data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code.

• GitHub CodeQL: About

Prerequisites

• A GitHub account.
• A .NET source code repository.

Create a workflow file

In the GitHub repository, add a new YAML file to the .github/workflows directory. Choose a meaningful file name, something that will clearly indicate what the workflow is intended to do. For more information, see Workflow file.

Important

GitHub requires that workflow composition files to be placed within the .github/workflows directory.

Workflow files typically define a composition of one or more GitHub Action via the jobs.<job_id>/steps[*]. For more information, see, Workflow syntax for GitHub Actions.

Create a new file named codeql-analysis.yml, copy and paste the following YML contents into it:

name: "CodeQL"

on:
  push:
    branches: [main]
    paths:
    - '**.cs'
    - '**.csproj'
  pull_request:
    branches: [main]
    paths:
    - '**.cs'
    - '**.csproj'
  schedule:
    - cron: '0 8 * * 4'

jobs:
  analyze:

    name: analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: ['csharp']

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
      with:
        fetch-depth: 2

    - run: git checkout HEAD^2
      if: ${{ github.event_name == 'pull_request' }}

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@v1

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1

In the preceding workflow composition:

• The name: CodeQL defines the name, "CodeQL" will appear in workflow status badges.

  name: "CodeQL"
  

• The on node signifies the events that trigger the workflow:

  on:
    push:
      branches: [main]
      paths:
      - '**.cs'
      - '**.csproj'
    pull_request:
      branches: [main]
      paths:
      - '**.cs'
      - '**.csproj'
    schedule:
      - cron: '0 8 * * 4'
  

  • Triggered when a push or pull_request occurs on the main branch where any files changed ending with the .cs or .csproj file extensions.
  • As a cron job (on a schedule)—to run at 8:00 UTC every Thursday.

• The jobs node builds out the steps for the workflow to take.

  jobs:
    analyze:
  
      name: analyze
      runs-on: ubuntu-latest
  
      strategy:
        fail-fast: false
        matrix:
          language: ['csharp']
  
      steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 2
  
      - run: git checkout HEAD^2
        if: ${{ github.event_name == 'pull_request' }}
  
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
        with:
          languages: ${{ matrix.language }}
  
      - name: Autobuild
        uses: github/codeql-action/autobuild@v1
  
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v1
  

  • There is a single job, named analyze that will run on the latest version of Ubuntu.
  • The strategy defines C# as the language.
  • The github/codeql-action/init@v1 GitHub Action is used to initialize CodeQL.
  • The github/codeql-action/autobuild@v1 GitHub Action builds the .NET project.
  • The github/codeql-action/analyze@v1 GitHub Action performs the CodeQL analysis.

For more information, see GitHub Actions: Configure code scanning.

Create a workflow status badge

It's common nomenclature for GitHub repositories to have a README.md file at the root of the repository directory. Likewise, it's nice to report the latest status for various workflows. All workflows can generate a status badge, which are visually appealing within the README.md file. To add the workflow status badge:

1. From the GitHub repository select the Actions navigation option.

2. All repository workflows are displayed on the left-side, select the desired workflow and the ellipsis (...) button.

   • The ellipsis (...) button expands the menu options for the selected workflow.

3. Select the Create status badge menu option.

   

4. Select the Copy status badge Markdown button.

   

5. Paste the Markdown into the README.md file, save the file, commit and push the changes.

For more, see Adding a workflow status badge.

Example CodeQL workflow status badge

Passing	Failing	No status

See also

• Secure coding guidelines
• actions/checkout
• actions/setup-dotnet

Next steps

Tutorial: Create a GitHub Action with .NET