{"id":31699565,"url":"https://github.com/smelc/sarge-security-codeql","last_synced_at":"2025-10-08T19:45:12.120Z","repository":{"id":294672581,"uuid":"987719916","full_name":"smelc/sarge-security-codeql","owner":"smelc","description":"Demonstration of writing custom CodeQL rules and running them in CI","archived":false,"fork":false,"pushed_at":"2025-06-27T14:20:10.000Z","size":74,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-13T11:28:38.740Z","etag":null,"topics":["codeql","python","security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/smelc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-21T13:39:45.000Z","updated_at":"2025-06-27T14:20:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"dca2110f-2684-44c7-945b-0814f4848e8a","html_url":"https://github.com/smelc/sarge-security-codeql","commit_stats":null,"previous_names":["smelc/sarge-security-with-codeql"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/smelc/sarge-security-codeql","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smelc%2Fsarge-security-codeql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smelc%2Fsarge-security-codeql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smelc%2Fsarge-security-codeql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smelc%2Fsarge-security-codeql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/smelc","download_url":"https://codeload.github.com/smelc/sarge-security-codeql/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smelc%2Fsarge-security-codeql/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279000702,"owners_count":26082806,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codeql","python","security"],"created_at":"2025-10-08T19:44:38.534Z","updated_at":"2025-10-08T19:45:12.112Z","avatar_url":"https://github.com/smelc.png","language":"Shell","readme":"# sarge-security-codeql\n\nThis repository's purpose is to show how to model a Python library using [CodeQL](https://codeql.github.com/). In this repository, we model the [sarge](https://github.com/vsajip/sarge) Python library. We chose sarge because:\n\n1. Sarge is currently not in [CodeQL's list of supported Python libraries](https://github.com/github/codeql/tree/main/python/ql/lib/semmle/python/frameworks).\n1. Sarge wraps [subprocess](https://docs.python.org/3/library/subprocess.html) and as such it can create security threats, if used incorrectly.\n\n## Develop CodeQL rules\n\nWe recommend installing the [vscode CodeQL extension](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) and to develop rules in the [codeql-queries](./codeql-queries) directory. If you have installed `codeql` by unpacking the [codeql-bundle](https://github.com/github/codeql-action/releases) and made the `codeql` binary available in your `PATH`, you should have support for navigating the CodeQL standard library from an editor launched in this repository.\n\n### Run CodeQL like the CI does\n\nTo test vulnerabilities found by `codeql` on this codebase, the workflow is the following:\n\n1. Call `./create-codeql-db.sh`. This creates a `codeql-db-GIT_HASH` directory and links the `codeql-db` directory to it.\n1. Call `./run-codeql-analysis.sh`. This call `codeql` on the database `codeql-db` and then calls [sarif](https://github.com/microsoft/sarif-tools) to present the results in text format. This is handy to locally test on the CLI (as opposed to launching queries within vscode, which can be flaky).\n\n### Test a single query\n\nYou need to create the database with `./create-codeql-db.sh` as above, but then to test\na single query you are currently developing (say [codeql-queries/GetSargeRunSinks.ql](./codeql-queries/GetSargeRunSinks.ql)), do as follows:\n\n```shell\n./run-codeql-analysis.sh ./codeql-queries/GetSargeRunSinks.ql\n```\n\nWhen you change your query, unless you've changed the Python code in [app](./app), you don't need to rebuild the database.\n\n## Witness the vulnerabilities\n\nTo observe the vulnerabiities, you need to setup this project's Python code, as detailed below.\n\n### Installation\n\nThis project uses [poetry](https://python-poetry.org/) for provisioning dependencies and tooling.\n\nWe provide a [.envrc](./envrc) file to enter the development shell automatically\n(leveraging [direnv](https://direnv.net)). If you don't use that, please refer to poetry's documentation.\n\n### Running the app\n\nRun the Flask app with:\n\n```shell\nflask --app src/sarge_security/app.py --debug run\n```\n\nThe `--debug` flag enables hot reloading of changes.\n\nDepending on the kind of vulnerability, you will observe it in the terminal executing `flask` or in the webpage's content.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmelc%2Fsarge-security-codeql","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsmelc%2Fsarge-security-codeql","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmelc%2Fsarge-security-codeql/lists"}