Code Securty QL

Georges034302 · Georges034302 · commit e17ecb5390db · 2025-07-13T09:13:45.000Z
diff --git a/.github/codeql/queries/FindHardcodedSecrets.ql b/.github/codeql/queries/FindHardcodedSecrets.ql
@@ -18,7 +18,12 @@ predicate isSecretValue(string value) {
   value.regexpMatch("(?i)^(sk_.*|token_.*|apikey_.*|[a-zA-Z0-9+/=]{32,})")
 }
 
-from Field f, Expr::Literal lit
+from Field f, StringLiteral lit
+where
+  isSecretField(f) and
+  f.getInitializer() = lit and
+  isSecretValue(lit.getValue())
+select lit, "Hardcoded secret detected: '" + lit.getValue() + "' assigned to field '" + f.getName() + "'"
 from Field f, StringLiteral lit
 where
   isSecretField(f) and
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,25 +1,42 @@
 name: CodeQL Scan
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
-    
+
 permissions:
   contents: read
   security-events: write
+
 jobs:
   analyze:
     name: CodeQL Analyze C#
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '8.0.x'
+
       - uses: github/codeql-action/init@v3
         with:
           languages: csharp
           config-file: .github/codeql/config.yml
+
       - run: dotnet build UserApp/UserApp.csproj --configuration Release
-      - uses: github/codeql-action/analyze@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:csharp"
+          output: results
+
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeql-results
+          path: results/csharp.sarif
+          retention-days: 5
diff --git a/README.md b/README.md
@@ -475,7 +475,7 @@ paths-ignore:
 
 > **Copilot Prompt:**  
 > Create a custom CodeQL query named `FindHardcodedSecrets.ql` for C# to detect hardcoded secrets.  
-> - Target fields that are initialized with string literals.  
+> - Target fields that are initialized with StringLiteral.  
 > - Match field names containing `apiKey`, `token`, `secret`, `password`, or `auth` (case-insensitive).  
 > - Match values that resemble secrets, such as those starting with `sk_`, `token_`, `apikey_`, or 32+ base64-like characters.  
 > - Use `Field` and `Literal` from the `csharp` CodeQL library.  
@@ -505,7 +505,12 @@ predicate isSecretValue(string value) {
   value.regexpMatch("(?i)^(sk_.*|token_.*|apikey_.*|[a-zA-Z0-9+/=]{32,})")
 }
 
-from Field f, Expr::Literal lit
+from Field f, StringLiteral lit
+where
+  isSecretField(f) and
+  f.getInitializer() = lit and
+  isSecretValue(lit.getValue())
+select lit, "Hardcoded secret detected: '" + lit.getValue() + "' assigned to field '" + f.getName() + "'"
 from Field f, StringLiteral lit
 where
   isSecretField(f) and
