Dosu Logo
Home
Documents
Security Analysis with CodeQL
Security Analysis with CodeQL
Type
Document
Status
Published
Created
Oct 31, 2025
Updated
Nov 11, 2025
Updated by
Dosu Bot

CodeQL Workflow Integration for Rust#

To integrate CodeQL into a Rust project, configure a GitHub Actions workflow. The workflow typically resides at .github/workflows/codeql.yml and is triggered on pushes, pull requests, scheduled intervals, or manual dispatches. Below is an example configuration based on a real-world Rust project:

name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "43 22 * * 1"
  workflow_dispatch:

permissions:
  contents: read
  actions: read
  security-events: write

jobs:
  analyze:
    name: CodeQL Analyze
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v5

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@1.91.0

      - uses: github/codeql-action/init@v4
        with:
          languages: rust

      - uses: github/codeql-action/autobuild@v4

      - uses: github/codeql-action/analyze@v4

This workflow checks out the code, sets up the Rust toolchain, initializes CodeQL for Rust, builds the project, and runs the analysis. It grants the workflow permissions to read repository contents and actions, and to write security events. The workflow runs on pushes and pull requests to the main branch, on a weekly schedule, and can be triggered manually. See example PR.

Types of Security Issues Detected#

CodeQL for Rust is designed to detect a range of security vulnerabilities and code quality issues. While the set of queries for Rust is smaller than for some other languages, it focuses on Rust-specific risks, such as:

  • Unsafe code usage: Identifies potentially dangerous use of unsafe blocks, which can lead to memory safety violations.
  • Data races and concurrency issues: Flags patterns that may result in race conditions or improper synchronization.
  • Use-after-free and lifetime issues: Detects code that may violate Rust’s ownership and borrowing rules, especially in unsafe contexts.
  • Integer overflows and underflows: Highlights arithmetic operations that could wrap unexpectedly.
  • Insecure deserialization or parsing: Warns about patterns that could lead to injection or denial-of-service vulnerabilities.
  • Common logic errors: Finds unreachable code, dead code, or other patterns that may indicate bugs.

The set of queries is continually evolving as the Rust CodeQL support matures.

Responding to CodeQL Findings#

When CodeQL identifies a potential issue, it reports it in the Security tab of the GitHub repository and annotates pull requests with findings. Developers should:

  1. Review each finding to determine if it is a true positive or a false positive.
  2. For true positives, assess the severity and prioritize remediation based on the risk to the application.
  3. Fix the underlying code issue, following secure coding practices and leveraging Rust’s safety features where possible.
  4. Document the resolution in the pull request or issue tracker.
  5. If a finding is a false positive or not applicable, mark it as such in the GitHub interface with an explanation.
  6. Monitor future CodeQL runs to ensure that fixes are effective and that new issues do not appear.

By integrating CodeQL into the CI workflow, Rust projects can automate the detection of security issues early in the development lifecycle, improving code quality and reducing the risk of vulnerabilities reaching production.