Deep dive into: LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources.

Cory Benfield discusses the evolution of Swift from an app language to a critical tool for secure, high-scale services. He explains how Swift’s lack of a garbage collector eliminates tail latency and shares how its "zero-cost abstractions" rival C performance. He shares Apple’s roadmap for incremental adoption and demonstrates groundbreaking new interoperability for C++ and Java ecosystems.

Sub‑100-ms APIs emerge from disciplined architecture using latency budgets, minimized hops, async fan‑out, layered caching, circuit breakers, and strong observability. But long‑term speed depends on culture, with teams owning p99, monitoring drift, managing thread pools, and treating performance as a shared, continuous responsibility.

Sarah Usher discusses the architectural "breaking point" where warehouses like BigQuery struggle with latency and cost. She explains the necessity of a conceptual data lifecycle (Raw, Curated, Use Case) to regain control over lineage and innovation. She shares practical strategies to design a single source of truth that empowers both ML teams and analytics without bottlenecking scale.

Thiago Ghisi discusses the strategic evolution required to lead 100+ engineers without breaking the organization. He explains his "Three Levels of Impact" framework and shares practical lessons on speeding up decision-making, cultivating leadership teams, and building organizational resilience. Learn why he views reorgs as a continuous deployment feature rather than a one-time traumatic event.

As systems grow, observability becomes harder to maintain and incidents harder to diagnose. Agentic observability layers AI on existing tools, starting in read-only mode to detect anomalies and summarize issues. Over time, agents add context, correlate signals, and automate low-risk tasks. This approach frees engineers to focus on analysis and judgment.

InfoQ Homepage News LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning

Analysis & Development

Leela Kumili

LinkedIn has redesigned its static application security testing pipeline (SAST) to provide consistent, enforceable code scanning across a GitHub-based, multi-repository development environment. The initiative was a result of the company's shift-left strategy, which delivered fast, reliable, and actionable security feedback directly in pull requests, strengthening the security of LinkedIn's code and infrastructure and helping protect members and customers.

At a high level, SAST analyzes source code to identify potential vulnerabilities early in the development lifecycle. At LinkedIn's scale, legacy approaches that relied on multiple disconnected scanners and custom integrations resulted in uneven coverage, limited visibility into pipeline health, and friction for developers. The redesign aimed to standardize scanning, simplify adoption, and more deeply embed security into developer workflows without introducing bottlenecks.

At the start of the redesign, LinkedIn engineers established key guiding principles, prioritizing developer-first security to minimize workflow interruptions, extensibility to allow other teams to add rules or integrations, resilience to prevent failures from affecting developers, and observability to monitor coverage and performance at scale.

The new architecture leverages GitHub Actions to orchestrate two primary scanning engines, CodeQL and Semgrep, chosen for their complementary coverage and extensibility. LinkedIn engineers implemented custom workflows to manage rule execution, orchestrate scanning, and process results. Findings are normalized using the SARIF standard and enriched with metadata to provide clear remediation guidance and actionable context for both developers and security teams.

LinkedIn engineers initially aimed to use GitHub Required Workflows to enforce pipeline execution and schedule scans across tens of thousands of repositories, but the feature does not support scheduling or automatic deployment. Consequently, workflow files had to be pushed into each repository to propagate changes reliably, creating scale challenges.

To solve this, LinkedIn implemented a lightweight "stub workflow" in every repository that delegates execution to a centrally maintained workflow. This design allows updates to scanning logic, enforcement policies, and observability instrumentation to propagate instantly without modifying individual repositories. A Drift Management System continuously verifies the stub’s presence and configuration, while new repositories are automatically provisioned with it. The combined approach ensures consistent coverage and enforcement across LinkedIn’s multi-repository environment, maintaining reliability and developer workflow efficiency at scale.

Enforcement is handled through GitHub repository rulesets that block pull request merges until static analysis completes and vulnerabilities remain within acceptable risk thresholds. To prevent developer workflows from being disrupted during scanner outages or infrastructure failures, LinkedIn built multiple safety mechanisms, including kill switches and automated fallback behavior. In failure scenarios, empty SARIF reports are injected to unblock merges while still capturing telemetry for post-incident analysis.

Future Impact

We moved from a fragmented ecosystem to a unified, GitHub-native security pipeline that provides consistent coverage and actionable feedback without slowing developers down.

The SAST pipeline collects detailed execution metrics, failure reports, and adoption statistics, enabling security teams to monitor coverage, reliability, and organizational impact. LinkedIn notes that SAST is only one component of a broader application security strategy, which also includes dependency scanning and secret detection, forming an integrated approach to protecting both code and infrastructure.

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

Reliability rules have changed. At QCon London 2026, unlearn legacy patterns and get the blueprints from senior engineers scaling production AI today.

InfoQ.com and all content copyright © 2006-2026 C4Media Inc. Privacy Notice, Terms And Conditions, Cookie Policy

Source: View Original