CodeQL - The Open Source Engine Powering GitHub’s Security

• Security is no longer optional in open source; it’s a shared responsibility woven into every stage of development.

• This session introduces CodeQL, GitHub’s open-source static analysis engine that helps developers find vulnerabilities by understanding how their code behaves not just what it looks like.

• The talk explores how CodeQL powers GitHub Advanced Security (GHAS) to automatically scan millions of repositories, uncovering secrets, dependency risks, and logic flaws before they ever reach production.

• By connecting these ideas with the DevSecOps mindset, the session demonstrates how FOSS projects can integrate security earlier in their workflows using both open-source CodeQL pipelines and GitHub’s advanced security capabilities.

• Whether it’s securing the first pull request or maintaining a widely used FOSS library, the session highlights how open-source projects can embrace enterprise-grade security practices while preserving their community-driven spirit.

For Beginners:

• Understand what CodeQL is and how it helps analyze vulnerabilities in your code.

• Learn how to set up basic code scanning in a GitHub repo using free tools.

• Get started with secure contribution practices — from pull requests to dependency checks.

For Maintainers:

• See how GitHub Advanced Security (GHAS) automates scanning and secret detection.

• Learn to interpret CodeQL analysis results and integrate them into CI/CD workflows.

• Explore open-source alternatives for security automation (e.g., Semgrep, Trivy, Gitleaks).

For Everyone:

• Understand how CodeQL bridges open-source and enterprise security.

• Learn how security automation helps build trust and sustainability in open projects.

• Get free resources and examples to practice static analysis locally.