Thoughts on IaC scanning using CodeQL

[kencrismoncw]

Wondering if there is any effort underway to leverage CodeQL for InfraStructure As Code IaC scanning. I am fairly certain GHAS Secrets scanning is already scanning IaC scripts for secrets, YAY. Wondering if it’s worthy to try and rollout some CodeQL support for IaC scripts. I do see there is someone who did some custom work about 6 months ago. @colindembovsky at GitHub.com/colindembovsky/iac-codeql.

Thoughts?

[colindembovsky]

Hey @kencrismoncw my little repo was a demo of proof of concept work from @GeekMasher on this Action: https://github.com/advanced-security/codeql-extractor-iac.

The CodeQL engine is technically capable of scanning IaC and @GeekMasher built some of the primitives required to scan. However, there aren't a ton of queries. We'd love the community to contribute more queries so that this becomes more useful out-the-box.