How GitHub uses CodeQL to secure GitHub

GitHub's Product Security Engineering team utilizes CodeQL, a static analysis engine, as a crucial part of their strategy to secure GitHub's code by detecting and mitigating vulnerabilities across their extensive repository network. By leveraging GitHub Advanced Security (GHAS), the team employs CodeQL's robust querying capabilities to analyze code much like querying a database, allowing for more effective identification of potential issues compared to traditional text searches. They use various setups, including default and custom query packs, to cater to different repository needs, such as their large Ruby monolith, ensuring tailored security analyses. Additionally, the team practices variant analysis and quick auditing through CodeQL's multi-repository variant analysis (MRVA) to uncover insecure coding practices and potential vulnerabilities. By publishing query packs to the GitHub Container Registry (GCR) rather than directly to repositories, they have streamlined the process of deploying and maintaining custom CodeQL queries, enhancing efficiency and minimizing disruptions. Furthermore, the team emphasizes the importance of writing unit tests for custom queries to ensure their stability and reliability. The blog post also highlights the utility of CodeQL in not only identifying security vulnerabilities but also in confirming the presence or absence of necessary security controls, thereby saving time for both security teams and developers by preemptively addressing issues during the development process.