LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning

· Source: InfoQ · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Cloud Computing & IT Infrastructure · Depth: Intermediate, quick

Summary

LinkedIn has redesigned its static application security testing (SAST) pipeline to ensure consistent and enforceable code scanning across its GitHub-based, multi-repository development environment. This initiative, part of a shift-left strategy, delivers rapid, reliable, and actionable security feedback directly within pull requests, enhancing the security of LinkedIn's code and infrastructure. The new architecture leverages GitHub Actions to orchestrate CodeQL and Semgrep as primary scanning engines, chosen for their complementary coverage and extensibility. Findings are normalized using the SARIF standard and enriched with metadata for clear remediation guidance. To address scale challenges with tens of thousands of repositories, LinkedIn implemented a "stub workflow" in each repository that delegates execution to a centrally maintained workflow, ensuring instant propagation of updates. Enforcement is managed via GitHub repository rulesets that block pull request merges until static analysis completes and vulnerabilities are within acceptable thresholds, with built-in resilience mechanisms to prevent developer workflow disruptions.

Key takeaway

For CTOs and VPs of Engineering managing large, multi-repository GitHub environments, LinkedIn's SAST pipeline redesign offers a blueprint for achieving consistent, scalable code security. You should consider adopting a centralized workflow delegation model via "stub workflows" and leveraging GitHub's native features like Actions and rulesets to embed security early in the development lifecycle without sacrificing developer velocity or introducing bottlenecks.

Key insights

LinkedIn modernized its SAST pipeline using GitHub Actions, CodeQL, and Semgrep for consistent, scalable, and developer-friendly code security.

Principles

Method

Implement a "stub workflow" in each repository that delegates execution to a centrally maintained workflow, allowing instant propagation of scanning logic and enforcement policies across a multi-repository environment.

In practice

Topics

Code references

Best for: CTO, VP of Engineering/Data, Software Engineer, Security Engineer, DevOps Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.