Dosu Logo
Home
Documents
Security Analysis with CodeQL
Security Analysis with CodeQL
Type
Document
Status
Published
Created
Nov 10, 2025
Updated
Nov 10, 2025
Updated by
Dosu Bot

CodeQL is integrated into the project’s CI/CD pipeline using GitHub Actions to provide automated security analysis for Rust code. The workflow is defined in .github/workflows/codeql.yml and is triggered on every push and pull request to the main branch, on a weekly schedule, and via manual dispatch. This ensures that security checks are performed continuously and systematically throughout the development lifecycle source.

Workflow Setup

The CodeQL workflow runs on an Ubuntu 22.04 runner. The steps are as follows:

jobs:
  analyze:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v5

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@1.90

      - uses: github/codeql-action/init@v3
        with:
          languages: rust

      - uses: github/codeql-action/autobuild@v3

      - uses: github/codeql-action/analyze@v3

The workflow checks out the repository, sets up the Rust toolchain, initializes CodeQL for Rust, attempts to build the project automatically, and then runs the CodeQL analysis. Permissions are configured to allow read access to repository contents and actions, and write access to security events, enabling CodeQL to report findings directly to the repository’s security tab.

Scope of Analysis

The analysis is scoped to Rust by specifying languages: rust during initialization. CodeQL uses its default, community-maintained queries for Rust, scanning the codebase for known security vulnerabilities and coding issues. No custom queries or additional configuration directories are present, so the analysis relies on the standard set of checks provided by CodeQL for Rust source.

Integration in CI/CD Pipeline

CodeQL runs alongside other security and maintenance workflows. For example, a separate workflow (security.yml) runs tools such as cargo-deny, cargo-outdated, and cargo-dist to audit dependencies and distribution artifacts source. This layered approach ensures that both the source code and its dependencies are regularly checked for vulnerabilities and outdated packages.

Workflow Diagram

This integration ensures that security analysis is an automated, repeatable part of the development process, providing early and continuous feedback on potential vulnerabilities in Rust code.