Summary
Add a custom CodeQL workflow to perform Static Application Security Testing (SAST) on the C++ codebase. This would catch source-level security issues (buffer overflows, memory safety, etc.) beyond what Trivy's dependency/container scanning provides.
Current state
The broadinstitute org has a default CodeQL setup that runs on this repo, but it only scans GitHub Actions workflow files (actions language). Since C++ requires a manual build mode (CodeQL needs to intercept compilation), the org-level config can't provide the repo-specific build commands needed.
This causes two cosmetic issues on the GitHub Security tab:
- A configuration error/warning indicating C++ is detected but not scanned
- The CodeQL check on PRs only reports
Analyze (actions), giving a false sense of full coverage
What this would involve
Adding a .github/workflows/codeql.yml that:
- Checks out the repo with submodules
- Initializes CodeQL for C++ in
manual build mode
- Replicates the build steps (conan install, cmake configure, cmake build)
- Runs CodeQL analysis and uploads results
This would add ~15 minutes to CI but provide real SAST coverage for the C++ codebase (buffer overflows, use-after-free, integer overflow, etc.).
Priority
Low — Trivy already covers dependency and container vulnerability scanning. This is an additional defense-in-depth measure, not a gap in current security posture.
Summary
Add a custom CodeQL workflow to perform Static Application Security Testing (SAST) on the C++ codebase. This would catch source-level security issues (buffer overflows, memory safety, etc.) beyond what Trivy's dependency/container scanning provides.
Current state
The broadinstitute org has a default CodeQL setup that runs on this repo, but it only scans GitHub Actions workflow files (
actionslanguage). Since C++ requires amanualbuild mode (CodeQL needs to intercept compilation), the org-level config can't provide the repo-specific build commands needed.This causes two cosmetic issues on the GitHub Security tab:
Analyze (actions), giving a false sense of full coverageWhat this would involve
Adding a
.github/workflows/codeql.ymlthat:manualbuild modeThis would add ~15 minutes to CI but provide real SAST coverage for the C++ codebase (buffer overflows, use-after-free, integer overflow, etc.).
Priority
Low — Trivy already covers dependency and container vulnerability scanning. This is an additional defense-in-depth measure, not a gap in current security posture.