👮CodeQL Local Setup

Setting CodeQL setup locally

CodeQL scans our handshake repo. for security checks, it runs periodically (weekly) on our master branch, and for every PR raised or pushed for master and build

Currently, I have not added automation scripts to fasten our local setup, so it would involve some time-consuming manual tasks.

Why you might need a local setup?

You will need this for fixing the security bugs highlighted by CodeQL.

Steps for Js/Ts codebase

1. Download CodeQL CLI from the CodeQL Release Page

when done. you can follow the rest of the steps from docs.

I downloaded the package, extracted it into a folder, and then used codeql.exe this was my command,

"Downloads\codeql\codeql.exe" create js-ts-db --language=javascript-typescript

Before you run queries, make sure to delete static builds of the storybook or dashboard, else you might have to wait for a long time.

you can change the path of the CodeQL executable.

1. If needed you can explore this Queries list.

2. Analyze Repo. - "codeql\codeql.exe" database analyze js-ts-db --format=sarif-latest -o test.sarif

3. Install Extension to support viewing `.sarif` log files

4. Once done, you can run the queries and test the bug side-by-side

Reference:

• Code QL Setup for VSCode

• CodeQL CLI Setup on your machine