Skip to content

Add C++ CodeQL/SAST scanning to CI #20

Description

@dpark01

Summary

Add a custom CodeQL workflow to perform Static Application Security Testing (SAST) on the C++ codebase. This would catch source-level security issues (buffer overflows, memory safety, etc.) beyond what Trivy's dependency/container scanning provides.

Current state

The broadinstitute org has a default CodeQL setup that runs on this repo, but it only scans GitHub Actions workflow files (actions language). Since C++ requires a manual build mode (CodeQL needs to intercept compilation), the org-level config can't provide the repo-specific build commands needed.

This causes two cosmetic issues on the GitHub Security tab:

  • A configuration error/warning indicating C++ is detected but not scanned
  • The CodeQL check on PRs only reports Analyze (actions), giving a false sense of full coverage

What this would involve

Adding a .github/workflows/codeql.yml that:

  1. Checks out the repo with submodules
  2. Initializes CodeQL for C++ in manual build mode
  3. Replicates the build steps (conan install, cmake configure, cmake build)
  4. Runs CodeQL analysis and uploads results

This would add ~15 minutes to CI but provide real SAST coverage for the C++ codebase (buffer overflows, use-after-free, integer overflow, etc.).

Priority

Low — Trivy already covers dependency and container vulnerability scanning. This is an additional defense-in-depth measure, not a gap in current security posture.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions