By Fredrik Dahlgren
Today we are announcing the latest addition to the Trail of Bits Testing Handbook: a brand new chapter on CodeQL! CodeQL is a powerful and versatile static analysis tool, and at Trail of Bits, we regularly use CodeQL on client engagements to find common vulnerabilities and to perform variant analysis for already identified weaknesses. However, we often hear from other developers and security professionals who struggle to get started with CodeQL. We’ve listened to the challenges that many face in writing custom CodeQL queries and integrating them into CI/CD. In response to this, we’ve tried to identify the major pain points shared across the community and write up guidance to help everyone get the most out of CodeQL.
In this latest addition to the Testing Handbook, we describe how to set up CodeQL locally and create a CodeQL database for your project. We’ll walk you through the process of writing and running custom queries and show you how to unit test and debug them. We’ll also guide you on integrating CodeQL into your existing CI/CD pipeline through GitHub code scanning. Finally, we’ve included a set of references to the official CodeQL documentation and third-party blog posts to help you find relevant, up-to-date information on all things CodeQL. Whether you’re an experienced CodeQL user or just getting started, our Testing Handbook is your entry point for harnessing the full power of CodeQL.