How to show HTML code is scanned by CodeQL

Question

GitHub is not showing that CodeQL scanned my repository’s HTML code. How can I show that CodeQL did scan the HTML code.

Answer

In general, OIS Software Assurance requires using Fortify to scan HTML files.

However, in some situations CodeQL may attempt to scan HTML code along with JavaScript/TypeScript code.

If the repository has a JavaScript CodeQL scan and you want to use it to cover the HTML, you must provide materials showing that all HTML files in the repository were scanned by CodeQL. This may be done in one of two ways:

1. If the list of files scanned by CodeQL shown in GitHub shows the HTML files scanned, nothing must be done. See this technical note for the process on how to view the list of scanned files.

2. If the list of files does not show that all the HTML files were scanned, you can provide log files if they show the code has been scanned:

   • View the scan logs as described here.
   • View the raw logs and look for the section ##[group]Extracting javascript
   • If this section has an “Extracting " entry for each of the application's HTML files, then the log file can be used as an artifact to show the HTML files have been scanned by CodeQL. To do this, you must do the following:
   • Download the log file by clicking on the gear icon and selecting “Download log archive”
   • Deliver the log archive as part of your review artifacts.
   • Include a note in the request form indicating that the log archive is provided to show HTML files are scanned by CodeQL.

Additional Information

You can generate a list of HTML files in a GitHub repository with the query:

repo:<org>/<repo> path:/\.html?$/

References

• GitHub CodeQL Supported languages and frameworks
• GiHub Docs Viewing code scanning logs