Those working with GitHub Code Scanning undoubtedly have encountered the show paths functionality available on some alerts produced by CodeQL. The show paths functionality provides developers with a visualization of the data flow showing the path from the source of untrusted data to the sink – the location of the alert – to help a developer understand how the security issue materializes. The path helps with identifying the location where a validation or contextual encoding step is missing.
In the post “Scaling application security with codified security knowledge” I discussed how codifying security knowledge acquired during manual security code reviews can help with scaling application security. In this post I would like to allude how one can use CodeQL in a security code review and codify gaps in the security knowledge uncovered during the code review. The approach taken to show how CodeQL can be used is by looking at the similarities between the security code review process and the security query writing process and how both can improve the other.