CodeQL code analysis on CircleCI

Roopak Venkatakrishnan
Swissknife
Published in
1 min readJun 29, 2020

Github recently launched code scanning, which is based on an open-source collection of CodeQL queries that analyze code to find security vulnerabilities. This is currently only available on their enterprise plan and public repositories via Github actions

Swissknife hopes to address this gap and disconnect by offering the ability to scan your public & open source repositories on CircleCI as well. Easily scan your code using CodeQL and Swissknife on CircleCI, and view all the reports on Swissknife. Note that using CodeQL on private repositories is a violation of the CodeQL ToS.

Setting up scanning is as simple as running the Swissknife job in your circle config. Learn more here.

workflows:
jobs:
- swissknife/codeql-analysis:
name: "CodeQL Analysis"

Every run is reported to Swissknife where you can view reports and findings for each run.

Example CodeQL report

Currently, the CodeQL runner supports Golang, javascript & python. We’re working on adding more languages and improving our report viewer. As always, we’d love your feedback, or feel free to leave us a feature request here.

Get started and scan your code by setting up CodeQL scanning on your codebase.

--

--

Roopak Venkatakrishnan
Swissknife

Platforms @bolt, ex @google @twitter & @atspoke. love Madras filter coffee and Dogs!