Applying Checkov to Terraform as Code – A TFSEC Alternative

Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, this article focuses on GitHub CodeQL – a semantic code analysis engine that treats code as a database. We will apply it to a vulnerable Java Spring Boot application to detect SQL Injection and Path Traversal.

Unlike pattern-based scanners, CodeQL builds a relational database of your code, including abstract syntax trees, control flow graphs, and data flow graphs. This allows it to track tainted data across functions, classes, and files, drastically reducing false positives.

Let's look at a simple REST API with two vulnerable endpoints.

File: UserController.java

package com.demo.controller;

Let's look at a simple REST API with two vulnerable endpoints.

File: UserController.java

package com.demo.controller;

Applying Checkov to Terraform as Code – A TFSEC Alternative

Applying Checkov to Terraform as Code – A TFSEC Alternative

Other newsrooms on this story

Related reading

Introducing our open source AI-native SAST | Datadog

CodeQL 2.25.5 improves query accuracy for GitHub Actions - GitHub Changelog

AI For Security Review In Application Code

truffle-scan: A Deterministic Security Scanner That Catches Secrets &…

CI/CD security: How to secure your GitHub ecosystem | Datadog

As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free

Other newsrooms on this story

Related reading

Introducing our open source AI-native SAST | Datadog

CodeQL 2.25.5 improves query accuracy for GitHub Actions - GitHub Changelog

AI For Security Review In Application Code

truffle-scan: A Deterministic Security Scanner That Catches Secrets &…

CI/CD security: How to secure your GitHub ecosystem | Datadog

As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free