Add CodeQL/Code Scanning
josepalafox opened this issue · comments
Hi, I was wondering if I could add GitHub CodeQL to the list of tools here: https://owasp.org/www-community/Source_Code_Analysis_Tools
Also, was wondering if we could highlight who supports SARIF. It's called out in the header how important interoperability of the output format is but not listed by any of the tools.
Any of the tools that output SARIF can easily be output into the GItHub UI directly. I had to sort of hack this URL since I don't have permissions on your project so it may not work - https://github.com/OWASP/www-community/actions/new?category=security (if it doesn't work you can view this page by going to the security tab in GH, set up code scanning and then "configure other scanning tools") - All of these tools output SARIF and push the results into GH for developers to review.
Go for it.
OK I've created a PR to add it - #574. Please let me know if I need to change anything!