Static Analysis

What Is This?

Overview

The Trail of Bits static analysis toolkit provides a structured approach to automated code security review using industry-standard tools including CodeQL, Semgrep, and the Static Analysis Results Interchange Format (SARIF). This toolkit bundles configuration, query libraries, and workflow templates that help engineering teams integrate static analysis into their development pipelines with minimal friction. Rather than requiring teams to build their own analysis infrastructure from scratch, it offers a curated set of rules and patterns derived from real-world security research.

At its core, the toolkit leverages CodeQL for deep semantic analysis of compiled languages, Semgrep for fast pattern-based scanning across many language ecosystems, and SARIF as the common output format that aggregates results from both tools. This combination allows teams to catch a wide range of vulnerability classes, from memory safety issues in C and C++ to injection flaws in Python and JavaScript. The unified SARIF output simplifies result management and integration with code review platforms such as GitHub Advanced Security.

The toolkit is maintained by Trail of Bits, a security engineering firm with extensive experience in vulnerability research and secure software development. Their curated rules reflect patterns discovered during real security audits, which means the checks go beyond generic linting and target issues that have caused actual security incidents.

Who Should Use This

• Security engineers who need to automate vulnerability detection across large codebases
• DevSecOps practitioners integrating security gates into CI/CD pipelines
• Software developers who want actionable feedback on security issues during code review
• Platform engineering teams standardizing static analysis tooling across multiple repositories
• Penetration testers who want to supplement manual review with automated scanning
• Open source maintainers seeking to improve the security posture of their projects

Why Use It?

Problems It Solves

• Manual code review cannot scale to cover every commit across large or fast-moving codebases, leaving security gaps that automated scanning can fill
• Different teams using different analysis tools produce incompatible result formats, making it difficult to aggregate findings and track remediation progress
• Generic static analysis rules generate excessive false positives, causing alert fatigue and reducing developer trust in the tooling
• Setting up CodeQL and Semgrep from scratch requires significant configuration effort, which this toolkit reduces through pre-built workflows and rule sets
• Security findings discovered late in the development cycle are expensive to fix, and early automated scanning shifts detection left

Core Highlights

• Pre-configured CodeQL queries targeting common vulnerability classes such as SQL injection, path traversal, and unsafe deserialization
• Semgrep rule sets covering multiple languages including Python, JavaScript, Go, Java, and C/C++
• SARIF output format enabling seamless integration with GitHub Advanced Security and other SARIF-compatible platforms
• Workflow templates for GitHub Actions that require minimal modification to deploy
• Rules derived from real security audits, reducing false positive rates compared to generic rule sets
• Support for custom rule development alongside the provided baseline

How to Use It?

Basic Usage

Clone the repository and run Semgrep with the provided rule sets against your codebase:

git clone https://github.com/trailofbits/semgrep-rules.git
semgrep --config semgrep-rules/ --sarif --output results.sarif ./src

For CodeQL analysis, initialize a database and run the provided query suite:

codeql database create mydb --language=python --source-root ./src
codeql database analyze mydb trailofbits-queries/ --format=sarif-latest --output=results.sarif

Specific Scenarios

CI/CD Integration: Add the provided GitHub Actions workflow template to your repository under .github/workflows/static-analysis.yml. The workflow triggers on pull requests, runs both Semgrep and CodeQL, and uploads SARIF results to the GitHub Security tab automatically.

Incremental Scanning: Use Semgrep with the --baseline-commit flag to scan only changed files, reducing scan time on large repositories while maintaining coverage on modified code.

Real-World Examples

A team maintaining a Python web application can run the Semgrep rules to detect Flask route handlers that pass unsanitized user input to database queries. A Go service team can use CodeQL to identify goroutine leaks and unsafe pointer operations before they reach production.

When to Use It?

Use Cases

• Pre-merge security checks on pull requests
• Scheduled nightly scans of main branches
• Security audits of third-party code before integration
• Compliance verification against secure coding standards
• Onboarding new codebases to establish a security baseline
• Regression testing after security patches

Important Notes

Requirements

• CodeQL CLI version 2.x or later installed locally or available in CI runners
• Semgrep version 1.x or later
• Python 3.8 or later for certain helper scripts in the toolkit