Hey all,
This is the inaugural post by Saramena Labs and we will be discussing a tool which is pretty near and dear to my heart which is CodeQL.
Just a quick background on the tool. CodeQL started out as Semmle, and was purchased by GitHub. It is now integrated into all of GitHub’s Security products, including their AI-based code audits.
One of the things that is still missing from CodeQL is the generation of the queries themselves. GitHub generates tons of CodeQL documentation, repositories, and even supplies professional services to develop custom queries.
In the world where Gemini and ChatGPT can write you an entire frontend/backend stack without even knowing how to code, CodeQL stands to be handled in a similar fashion for security researchers, and corporate assurance teams.
I have written hundreds of CodeQL queries in my professional life and believe that the only way to scale true regression and variant analysis on our code bases is to generate automation in how we generate CodeQL.
With that, I am introducing my new service: AutoQL.
AutoQL will take in 4 things:
- Code Repository
- Build instructions
- Snippet of an existing vulnerability within the code base
- Revision of the snippet within the Code Repository
We will email to you a CodeQL query which will find the exact vulnerability you pasted in.
Thanks for reading!