Summary

CodeQL is the analysis engine that provides the vast majority of our code scanning results. In Q4 of CY2021, we're aiming to release Ruby support in public beta.

Intended Outcome

Ruby is a very popular language, both within the open source community and with our enterprise customers. Building Ruby support for CodeQL means that we'll be able to flag up security alerts in your Ruby codebases.

How will it work?

Analyzing Ruby codebases with CodeQL in code scanning will work much the same as scanning other source code in languages that we already support. After you've set up CodeQL analysis in an Actions workflow on a Ruby repository, the analysis job will be triggered as configured. As soon as the analysis is finished, CodeQL will export the results, which will then become visible to you in the "Security" tab and on pull requests.

The public beta release of the Ruby analysis will be able to detect instances of the following vulnerabilities/security issues:

• SQL injection (CWE-089)
• ReDoS (regular expression denial-of-service, CWE-1333)
• Hard-coded credentials (CWE-798)
• CLI injection (A1:2017-Injection, CWE-078, CWE-088)
• XML entity expansion (CWE-611, CWE-827)
• Reflected cross-site scripting (XSS) (A7:2017-Cross-Site Scripting, CWE-079)
• Unsafe deserialization (CWE-502)

The CWE coverage will incrementally improve over time.