CodeQL, GitHub’s SAST engine, has a great VSCode extension to help you write queries. One of the most common problems using it is that the extension can’t find the CodeQL libraries. Solving this is pretty easy, but sometimes I forget what the problem is (as I did last night), so I’m dropping the error message here with the solution. The error The error you’ll see is something like this (where I’ve replaced the real user path with ~ for this example):

ℹ️ Edited 2024-01-11 to add a note about FlowExploration being deprecated in favour of FlowExplorationFwd and FlowExplorationRev, and to link to the CodeQL docs on partial flow CodeQL is an ever-evolving static code analysis engine, which powers GitHub’s SAST. It’s powerful, but it’s not perfect, and sometimes you need to debug queries to understand why they’re not behaving as you’d expect. One great tool for that is “partial paths”, which lets you see the dataflow or taint steps that a query is flowing over, so you can see where the flow might have broken between a source and a sink.

A GitHub Action to lint Python code, for GitHub Code Scanning Recently I ran a training “bootcamp” for a customer on GitHub Advanced Security, and the topic of code quality came up. Pinning down just what we mean by “code quality” can be a bit tricky: witness the debates over Uncle Bob’s work on “clean code”. It’s fair to say that it’s often about other factors of the code than the security of the code, which is the main focus of Advanced Security (the clue is in the name).

GitHub Secret Scanning gives loads of value off-the-shelf, with highly precise vendor secret detection, but sometimes a customer wants something that isn’t already covered by the built-in patterns. For that, our custom patterns for Advanced Security are perfect, and I’ve just released some that I’ve written for a couple of customers (and also on a whim). Here’s the list: .NET Configuration file, e.g. <add key="password" value="somesecret" /> .NET machineKey, e.g. <machineKey validationKey=".

Regex for GitHub Secret Scanning Regular Expressions (regex) are the butt of many a joke - “now you have two problems”, but they’re a powerful tool for searching and matching text. As someone who’s been jokingly called “The King of Regex” 👑 before, I’ve got a little bit to say about them. They’re used in many places, including GitHub’s Secret Scanning, where as part of Advanced Security they give you the ability to match your own patterns to search for secrets or personal data (or anything you like!

Hi, I’m Paul 👋 I’m Paul, aka aegilops. That’s my GitHub handle. It means nothing deeper than being a word with all of the letters in alphabetic order, which wasn’t already taken! It’s said ee-ji-lops (or ˈē-jə-ˌläps for anyone who knows IPA). I’ve got a background in computer security, having done a couple of decades of network security, AppSec, vulnerability research and research & development. I started work at GitHub at the end of May 2022.