├── AWS CodeBuild └── buildspec_codeql.yml ├── Azure Pipelines ├── Azure-Pipelines-template-linux-with-indirect-build-tracing.yml ├── Azure-Pipelines-template-linux.yml ├── Azure-Pipelines-template-windows-with-indirect-build-tracing.yml └── Azure-Pipelines-template-windows.yml ├── CHANGELOG.md ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CircleCI ├── CircleCI-template-linux.yml ├── CircleCI-template-windows.yml └── README.md ├── DroneCI ├── CodeQL-Docker.yml └── README.md ├── Jenkins ├── Jenkinsfile-template-linux ├── Jenkinsfile-template-linux-multibranch ├── Jenkinsfile-template-linux-with-indirect-build-tracing ├── Jenkinsfile-template-windows ├── Jenkinsfile-template-windows-with-indirect-build-tracing └── ReadMes │ └── Jenkinsfile-template-linux-multibranch.md ├── LICENSE ├── PRIVACY.md ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── Tekton ├── codeql-task.yml ├── example-pipeline.yml └── example-pipelinerun.yml ├── TravisCI ├── TravisCI-template-linux.yml └── TravisCI-template-windows.yml ├── _deprecated ├── Azure-Pipelines-template-with-codeql-runner.yml ├── CircleCI-template-with-codeql-runner.yml ├── Jenkinsfile-template-with-codeql-runner └── TravisCI-template-with-codeql-runner.yml └── harness └── codeql-scan.yaml /AWS CodeBuild/buildspec_codeql.yml: -------------------------------------------------------------------------------- 1 | 2 | version: 0.2 3 | env: 4 | git-credential-helper: yes 5 | exported-variables: 6 | - PROJECT_NAME 7 | - PROJECT_ROOT_DIRECTORY 8 | - GITHUB_ORG 9 | - GIT_REPO_NAME 10 | - CODEQLDB 11 | - CODEQL_LANG 12 | - UPLOAD_TOKEN 13 | - COMMIT_ID 14 | phases: 15 | install: 16 | commands: 17 | - echo "Entered the CodeQL CLI install phase..." 18 | - echo "Installing the CodeQL CLI" 19 | - (cd /opt; wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz && tar -xvzf ./codeql-bundle-linux64.tar.gz) 20 | - export PATH=/opt/codeql:$PATH 21 | - echo "testing codeql cli installation by codeql resolve qlpacks" 22 | - codeql resolve qlpacks 23 | pre_build: 24 | commands: 25 | - echo "Entered the pre_build phase..." 26 | - echo "Create codeql database sub directory" 27 | - mkdir -p /${CODEQLDB}/${GIT_REPO_NAME} 28 | - echo "create codeql database..." 29 | - codeql database create /${CODEQLDB}/${GIT_REPO_NAME} --language=${CODEQL_LANG} --command "" --source-root $CODEBUILD_SRC_DIR 30 | build: 31 | on-failure: ABORT 32 | commands: 33 | - echo "Entered the Build phase..." 34 | - echo Build started on `date` 35 | 36 | - echo `pwd` 37 | - ls -lart 38 | 39 | #running codeql analysis 40 | - echo "Running CodeQL Analysis" 41 | - codeql database analyze /${CODEQLDB}/${GIT_REPO_NAME} --sarif-category=${CODEQL_LANG} --format=sarifv2.1.0 --output=/tmp/${GIT_REPO_NAME}.sarif --verbose 42 | - sleep 60 43 | - echo "Uploading CodeQL Sarif File to GitHub" 44 | - (codeql github upload-results --repository=${GITHUB_ORG}/${GIT_REPO_NAME} --ref=refs/heads/main --commit=${COMMIT_ID} --sarif=/tmp/${GIT_REPO_NAME}.sarif --github-url=https://github.com --github-auth-stdin) 45 | artifacts: 46 | files: 47 | - '**/*' 48 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-linux-with-indirect-build-tracing.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # This example assumes a Linux environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 3 | 4 | # Use this when a repository is stored in GitHub 5 | # To run Codeql in azure repos see: https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops 6 | 7 | # The pipeline needs have a variable called GITHUB_TOKEN (don't forget to set it as secret) 8 | # This secret will contain a personal access token. Either classic or fine grained (preferably) 9 | # The Clasic token requires the following scopes: Repo 10 | # The fine grained token requires the following permissions: Code scanning alerts (read and write) 11 | 12 | # Adapt the trigger to your needs 13 | trigger: 14 | branches: 15 | include: 16 | - '*' 17 | paths: 18 | exclude: 19 | - test/* 20 | - doc/* 21 | - lib/* 22 | include: 23 | - src/* 24 | 25 | variables: 26 | # Language to scan. Possible values 27 | # cpp, csharp, go, java, javascript, python, ruby, swift 28 | language: java 29 | 30 | stages: 31 | - stage: 32 | jobs: 33 | - job: 34 | displayName: CodeQL analyze 35 | 36 | pool: 37 | vmImage: 'ubuntu-latest' 38 | workspace: 39 | clean: all 40 | steps: 41 | 42 | # OPTIONAL: Download CodeQL CLI Bundle 43 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 44 | # or pre-downloaded and placed on the CI/CD build machine(s). In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from 45 | # https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 46 | - script: | 47 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz \ 48 | -O ../codeql-bundle-linux64.tar.gz \ 49 | --show-progress \ 50 | --progress=dot:mega 51 | 52 | tar xzvf ../codeql-bundle-linux64.tar.gz -C ../ 53 | rm ../codeql-bundle-linux64.tar.gz 54 | 55 | # Make sure CLI is on the path 56 | cli_path="$(cd ..; pwd)/codeql" 57 | echo "##vso[task.prependpath]$cli_path" 58 | 59 | sarif_file=$(mktemp) 60 | 61 | echo "##vso[task.setvariable variable=sarif_file;]$sarif_file" 62 | displayName: Download CodeQL CLI Bundle 63 | 64 | # Initialize CodeQL 65 | # Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 66 | # Prior to running any build commands, the generated scripts containing environment variables must be sourced. 67 | # Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 68 | - script: | 69 | # You may need to change --source-root if checking out multiple repositories 70 | codeql database init db --language="$(language)" --source-root="$(Build.SourcesDirectory)" --begin-tracing 71 | displayName: Initialize CodeQL database 72 | 73 | - script: | 74 | # Starts tracing and exports to the rest of the pipeline any environment variable it has been 75 | # defined by the start-tracing script 76 | env_before=$(printenv | cut -d '=' -f 1 | sort) 77 | . db/temp/tracingEnvironment/start-tracing.sh 78 | env_after=$(printenv | cut -d '=' -f 1 | sort) 79 | 80 | comm -13 <(echo "$env_before") <(echo "$env_after") | while read -r env_name; do 81 | echo "##vso[task.setvariable variable=$env_name;]${!env_name}" 82 | done 83 | displayName: Start CodeQL tracing 84 | 85 | # Insert here your build steps. 86 | # Adding a java build as an example 87 | - script: | 88 | mvn clean install -DskipTests=true 89 | displayName: Build Java Application 90 | 91 | # Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 92 | # This needs to happen before the new database can be queried. 93 | # Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 94 | - script: | 95 | codeql database finalize db 96 | displayName: Finalize CodeQL database 97 | 98 | # Analyze CodeQL Database 99 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 100 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 101 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 102 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 103 | - script: | 104 | codeql database analyze \ 105 | --format=sarif-latest \ 106 | --sarif-category="$(language)" \ 107 | --sarif-add-baseline-file-info \ 108 | --output="$(sarif_file)" \ 109 | db $(language)-security-and-quality.qls 110 | displayName: Analyze CodeQL Database 111 | 112 | # Upload results to GitHub 113 | # Uploads a SARIF file to GitHub code scanning. 114 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 115 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set. 116 | # This token must have the security\_events scope. 117 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 118 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 119 | - script: | 120 | echo "" 121 | codeql github upload-results \ 122 | --sarif="$(sarif_file)" \ 123 | --github-url=https://github.com/ \ 124 | --repository="$(Build.Repository.Name)" \ 125 | --ref="$(Build.SourceBranch)" \ 126 | --commit="$(Build.SourceVersion)" 127 | displayName: Upload results to GitHub $(Build.Repository.Name) 128 | env: 129 | GITHUB_TOKEN: $(GITHUB_TOKEN) 130 | 131 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # When a repository is stored in GitHub 3 | # To run Codeql in azure repos see: https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops 4 | # This example assumes a Linux environment 5 | 6 | # The pipeline needs have a variable called GITHUB_TOKEN (don't forget to set it as secret) 7 | # This secret will contain a personal access token. Either classic or fine grained (preferably) 8 | # The Clasic token requires the following scopes: Repo 9 | # The fine grained token requires the following permissions: Code scanning alerts (read and write) 10 | 11 | # Adapt the trigger to your needs 12 | trigger: 13 | branches: 14 | include: 15 | - '*' 16 | paths: 17 | exclude: 18 | - test/* 19 | - doc/* 20 | - lib/* 21 | include: 22 | - src/* 23 | 24 | variables: 25 | # Language to scan. Possible values 26 | # cpp, csharp, go, java, javascript, python, ruby, swift 27 | language: javascript 28 | 29 | stages: 30 | - stage: 31 | jobs: 32 | - job: 33 | displayName: CodeQL analyze 34 | 35 | pool: 36 | vmImage: 'ubuntu-latest' 37 | workspace: 38 | clean: all 39 | steps: 40 | 41 | # OPTIONAL: Download CodeQL CLI Bundle 42 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 43 | # or pre-downloaded and placed on the CI/CD build machine(s). In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from 44 | # https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 45 | - script: | 46 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz \ 47 | -O ../codeql-bundle-linux64.tar.gz \ 48 | --show-progress \ 49 | --progress=dot:mega 50 | 51 | tar xzvf ../codeql-bundle-linux64.tar.gz -C ../ 52 | rm ../codeql-bundle-linux64.tar.gz 53 | 54 | # Make sure CLI is on the path 55 | cli_path="$(cd ..; pwd)/codeql" 56 | echo "##vso[task.prependpath]$cli_path" 57 | 58 | sarif_file=$(mktemp) 59 | 60 | echo "##vso[task.setvariable variable=sarif_file;]$sarif_file" 61 | displayName: Download CodeQL CLI Bundle 62 | 63 | # Create CodeQL Database 64 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 65 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 66 | # and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 67 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 68 | - script: | 69 | codeql database create db \ 70 | --language=$(language) \ 71 | --github-url=https://github.com/ 72 | 73 | displayName: Create CodeQL Database 74 | 75 | # Analyze CodeQL Database 76 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 77 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 78 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 79 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 80 | - script: | 81 | codeql database analyze \ 82 | --format=sarif-latest \ 83 | --sarif-category="$(language)" \ 84 | --sarif-add-baseline-file-info \ 85 | --output="$(sarif_file)" \ 86 | db $(language)-security-and-quality.qls 87 | displayName: Analyze CodeQL Database 88 | 89 | # Upload results to GitHub 90 | # Uploads a SARIF file to GitHub code scanning. 91 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 92 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set. 93 | # This token must have the security\_events scope. 94 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 95 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 96 | - script: | 97 | echo "" 98 | codeql github upload-results \ 99 | --sarif="$(sarif_file)" \ 100 | --github-url=https://github.com/ \ 101 | --repository="$(Build.Repository.Name)" \ 102 | --ref="$(Build.SourceBranch)" \ 103 | --commit="$(Build.SourceVersion)" 104 | displayName: Upload results to GitHub $(Build.Repository.Name) 105 | env: 106 | GITHUB_TOKEN: $(GITHUB_TOKEN) 107 | 108 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-windows-with-indirect-build-tracing.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # 3 | # It assumes a Windows environment and use indirect build tracing ("sandwich mode") around an existing set of build commands 4 | # 5 | # It requires: 6 | # - PowerShell Core to be on the Pipeline image 7 | # - a GitHub access token to be set in the pipeline Variables as a secret variable 8 | # - Advanced Security to be enabled on the GitHub repository 9 | 10 | # ℹ️ You will need to replace parts of this pipeline with your own triggers, preparatory Tasks and build Task, etc. marked with pointing hands 👉 11 | # You may also wish to edit the query suite/language as appropriate on :164 12 | 13 | # ***** replace this 👇 with your actual triggers; these are just examples ****** 14 | trigger: 15 | branches: 16 | include: 17 | - '*' 18 | paths: 19 | exclude: 20 | - test/* 21 | - doc/* 22 | - lib/* 23 | include: 24 | - src/* 25 | # ***** replace this 👆 with your actual triggers; these are just examples ****** 26 | 27 | # ***** replace this 👇 with your actual resources; these are just examples. This can be defined outside of the pipeline YAML ****** 28 | resources: 29 | repositories: 30 | - repository: templates 31 | type: github 32 | name: octo-org/example-repo-2 33 | endpoint: octo-org 34 | # ***** replace this 👆 with your actual resources; these are just examples. This can be defined outside of the pipeline YAML ****** 35 | 36 | # ***** replace this 👆 with your real stage/job details; this is just an example ****** 37 | stages: 38 | - stage: __default 39 | jobs: 40 | - job: Job 41 | workspace: 42 | clean: all 43 | pool: 44 | vmImage: 'windows-latest' # 👈 replace this with your own required pool, ensuring that PowerShell Core is installed on the image 45 | # ***** replace this 👆 with your real stage/job details; this is just an example ****** 46 | 47 | steps: 48 | - checkout: self 49 | fetchTags: true 50 | 51 | # Preparatory tasks 52 | # These are outside of the CodeQL instrumentation 53 | # ***** replace this 👇 with your actual pre-build tasks ****** 54 | - task: PowerShell@2 55 | displayName: Pre-build task 56 | inputs: 57 | targetType: inline 58 | pwsh: true 59 | script: | 60 | echo "Pre-build task" 61 | # ***** replace this 👆 with your actual pre-build tasks ****** 62 | 63 | # Download CodeQL 64 | - task: PowerShell@2 65 | displayName: Download CodeQL CLI Bundle 66 | inputs: 67 | targetType: inline 68 | pwsh: true 69 | script: | 70 | Invoke-WebRequest https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -OutFile ../codeql-bundle-win64.tar.gz 71 | tar xzvf ../codeql-bundle-win64.tar.gz -C ../ 72 | del ../codeql-bundle-win64.tar.gz 73 | cd ../ 74 | $sep = [IO.Path]::DirectorySeparatorChar 75 | echo "##vso[task.prependpath]${pwd}${sep}codeql" 76 | 77 | # Initialize CodeQL 78 | # Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 79 | # Prior to running any build commands, the generated scripts containing environment variables must be sourced. 80 | # Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 81 | - task: PowerShell@2 82 | displayName: Initialize CodeQL database 83 | inputs: 84 | # Assumes the source code is checked out to the current working directory. 85 | # Creates a database at `/db`. 86 | # Running on Windows, so specifies a trace process level. 87 | # Alternatively, pass the flag --trace-process-mode=azure-pipelines to codeql database init to trace a build command in a pipeline job that runs in a Windows container. It will also do the right thing for a pipeline job on Windows that does not run in a container. 88 | targetType: inline 89 | pwsh: true 90 | script: | 91 | codeql database init --language csharp --trace-process-name Agent.Worker.exe --source-root . --begin-tracing db 92 | 93 | # Source environment variables 94 | # Read the generated environment variables and values, and set them so they are available for subsequent commands in the build pipeline. This is done in PowerShell in this example. 95 | - task: PowerShell@2 96 | displayName: Set CodeQL environment variables 97 | inputs: 98 | targetType: inline 99 | pwsh: true 100 | script: | 101 | $json = Get-Content $(System.DefaultWorkingDirectory)/db/temp/tracingEnvironment/start-tracing.json | ConvertFrom-Json 102 | $json.PSObject.Properties | ForEach-Object { 103 | $template = "##vso[task.setvariable variable=" 104 | $template += $_.Name 105 | $template += "]" 106 | $template += $_.Value 107 | echo "$template" 108 | } 109 | 110 | # Run build commands 111 | # ***** replace this 👇 with your actual build command ****** 112 | # In this example, we have a simple C# application built using VSBuild. 113 | - task: VSBuild@1 114 | displayName: Visual Studio Build 115 | inputs: 116 | solution: '**/*.sln' 117 | # Disable MSBuild shared compilation for C# builds. 118 | msbuildArgs: /p:OutDir=$(Build.ArtifactStagingDirectory) /p:UseSharedCompilation=false 119 | platform: Any CPU 120 | configuration: Release 121 | # Execute a clean build, in order to remove any existing build artifacts prior to the build. 122 | clean: True 123 | # ***** replace this 👆 with your actual build command ****** 124 | 125 | # Read and set the generated environment variables to end build tracing. This is done in PowerShell in this example. 126 | - task: PowerShell@2 127 | displayName: Clear CodeQL environment variables 128 | inputs: 129 | targetType: inline 130 | pwsh: true 131 | script: | 132 | $json = Get-Content $(System.DefaultWorkingDirectory)/db/temp/tracingEnvironment/end-tracing.json | ConvertFrom-Json 133 | $json.PSObject.Properties | ForEach-Object { 134 | $template = "##vso[task.setvariable variable=" 135 | $template += $_.Name 136 | $template += "]" 137 | $template += $_.Value 138 | echo "$template" 139 | } 140 | 141 | # Finalize CodeQL Database 142 | # Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 143 | # This needs to happen before the new database can be queried. 144 | # Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 145 | - task: PowerShell@2 146 | displayName: Finalize CodeQL database 147 | inputs: 148 | targetType: inline 149 | pwsh: true 150 | script: | 151 | codeql database finalize db 152 | 153 | # Analyze CodeQL Database 154 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 155 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 156 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 157 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 158 | - task: PowerShell@2 159 | displayName: Analyze CodeQL Database 160 | inputs: 161 | targetType: inline 162 | pwsh: true 163 | # edit the query suite/language as appropriate 👇 164 | script: | 165 | codeql database analyze db csharp-security-and-quality.qls --format=sarif-latest --output="$(Agent.TempDirectory)"/results-csharp.sarif 166 | 167 | # Upload results to GitHub 168 | # Uploads a SARIF file to GitHub code scanning. 169 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 170 | # A GitHub Apps token or personal access token must be set, by setting a secret Variable in the Azure DevOps Pipeline, called GITHUB_TOKEN 171 | # This token must have the security_events scope, for classic tokens, or be given read & write "Code scanning alerts" permission for a fine-grained access token 172 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 173 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 174 | - task: PowerShell@2 175 | displayName: Upload results to GitHub 176 | env: 177 | GITHUB_TOKEN: $(GITHUB_TOKEN) 178 | inputs: 179 | targetType: inline 180 | pwsh: true 181 | script: | 182 | codeql github upload-results --sarif="$(Agent.TempDirectory)"/results-csharp.sarif --github-url=https://github.com/ --repository="$(Build.Repository.Name)" --ref="$(Build.SourceBranch)" --commit="$(Build.SourceVersion)" 183 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # This example assumes a Windows environment 3 | 4 | trigger: 5 | branches: 6 | include: 7 | - '*' 8 | paths: 9 | exclude: 10 | - test/* 11 | - doc/* 12 | - lib/* 13 | include: 14 | - src/* 15 | resources: 16 | repositories: 17 | - repository: templates 18 | type: github 19 | name: octo-org/example-repo-2 20 | endpoint: octo-org 21 | 22 | stages: 23 | - stage: __default 24 | jobs: 25 | - job: Job 26 | workspace: 27 | clean: all 28 | steps: 29 | 30 | # OPTIONAL: Download CodeQL CLI Bundle 31 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 32 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 33 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 34 | - task: PowerShell@2 35 | displayName: Download CodeQL CLI Bundle 36 | inputs: 37 | targetType: inline 38 | script: > 39 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz 40 | tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\ 41 | del ..\codeql-bundle-win64.tar.gz 42 | cd ..\; set PATH=%cd%\codeql;%PATH% 43 | } 44 | } 45 | 46 | # Create CodeQL Database 47 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 48 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 49 | # and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 50 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 51 | - task: CmdLine@2 52 | displayName: Create CodeQL Database 53 | inputs: 54 | script: "codeql database create --language=javascript --github-auth-stdin --github-url=https://github.com/ --source-root \checkouts\my-repo db" 55 | 56 | # Analyze CodeQL Database 57 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 58 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 59 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 60 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 61 | - task: CmdLine@2 62 | displayName: Analyze CodeQL Database 63 | inputs: 64 | script: "codeql database analyze --format=sarif-latest --output=.\temp\results-js.sarif db javascript-security-and-quality.qls" 65 | 66 | # Upload results to GitHub 67 | # Uploads a SARIF file to GitHub code scanning. 68 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 69 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 70 | # This token must have the security\_events scope. 71 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 72 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 73 | - task: CmdLine@2 74 | displayName: Upload results to GitHub 75 | inputs: 76 | script: "codeql github upload-results --sarif=.\temp\results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 77 | 78 | # Other tasks go here 79 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG 2 | 3 | ## 1.0.0 - 2023-04-19 4 | 5 | * Added supporting documentation 6 | 7 | ## Legacy 8 | 9 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. All functionality is now natively available in the CodeQL CLI. 10 | 11 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. To migrate, follow the [Migrating from the CodeQL Runner to the CodeQL CLI Bundle](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli) guide. 12 | 13 | The legacy template files for the CodeQL Runner can be found in the `_deprecated` folder. 14 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # This project is maintained by: 2 | * @kllund 3 | * @geekmasher 4 | * @leftrightleft 5 | * @aegilops 6 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at opensource@github.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ 75 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | ## Security 4 | 5 | For security issues, see [SECURITY](SECURITY.md). 6 | 7 | ## Bugs and issues 8 | 9 | Please raise non-security bugs and suggestions in the Issues on the GitHub-hosted repository. 10 | 11 | ## Developing 12 | 13 | Please test changes to pipeline files before submitting. 14 | 15 | ## Submitting changes 16 | 17 | Please fork the repository, and raise a Pull Request (PR) for review. Please sign your commits. 18 | 19 | Remember to update the [README](README.md) and [CHANGELOG](CHANGELOG.md). 20 | 21 | Your changes must be acceptable under the [LICENSE](LICENSE.md) of the project. 22 | 23 | ## Code of conduct 24 | 25 | Follow the [Code of Conduct](CODE_OF_CONDUCT.md). 26 | -------------------------------------------------------------------------------- /CircleCI/CircleCI-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | orbs: # declare what orbs we are going to use 10 | node: circleci/node@4.5.0 # the node orb provides common node-related configuration 11 | 12 | version: 2.1 13 | jobs: 14 | codeql: 15 | docker: 16 | - image: 'cimg/base:2021.05' 17 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 18 | steps: 19 | - checkout: { path: "my-app" } # checkout codebase in own directory, separate from codeql cli bundle so it does not analyze itself 20 | - node/install 21 | - run: 22 | # OPTIONAL: Download CodeQL CLI Bundle 23 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 24 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 25 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 26 | name: Download CodeQL CLI 27 | command: | 28 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O codeql-bundle-linux64.tar.gz 29 | tar xzvf codeql-bundle-linux64.tar.gz 30 | rm codeql-bundle-linux64.tar.gz 31 | export PATH=$(pwd)/codeql:$PATH 32 | # Make a note of the current directory here and use that for /path/to/cli in subsequent stages 33 | # You can add the extracted codeql bundle to your PATH. Ex: PATH=/path/to/cli:$PATH 34 | - run: 35 | # Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | name: Create CodeQL Database 40 | # REF command: ''/path/to/cli/codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 41 | command: | 42 | mkdir codeql-dbs 43 | ./codeql/codeql database create ./codeql-dbs/repo-db --language=javascript --source-root=./my-app 44 | - run: 45 | # Analyze CodeQL Database 46 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 47 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 48 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 49 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 50 | name: Analyze CodeQL Database 51 | # REF command: '/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | command: | 53 | cd codeql && mkdir temp 54 | ./codeql database analyze ../codeql-dbs/repo-db javascript-code-scanning.qls --format=sarif-latest --output=./temp/results-js.sarif 55 | 56 | # Upload results to GitHub 57 | 58 | # Uploads a SARIF file to GitHub code scanning. 59 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 60 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 61 | # This token must have the security\_events scope. 62 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 63 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 64 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 65 | 66 | # Since CircleCI does not track the github event reference in a single variable, we need to do an if/else to push right context back for pull requests vs branch commits 67 | - when: 68 | condition: ${CIRCLE_PULL_REQUEST} 69 | steps: 70 | - run: 'echo $GITHUB_TOKEN | ./codeql/codeql github upload-results --repository=org/example-app --ref=refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --commit=$CIRCLE_SHA1 --sarif=./codeql/temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 71 | - unless: 72 | condition: ${CIRCLE_PULL_REQUEST} 73 | steps: 74 | - run: 'echo $GITHUB_TOKEN | ./codeql/codeql github upload-results --repository=org/example-app --ref=refs/heads/${CIRCLE_BRANCH} --commit=$CIRCLE_SHA1 --sarif=./codeql/temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 75 | 76 | workflows: 77 | version: 2 78 | codeql-analysis: 79 | jobs: 80 | - codeql 81 | -------------------------------------------------------------------------------- /CircleCI/CircleCI-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Windows 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | orbs: # declare what orbs we are going to use 10 | node: circleci/node@4.5.0 # the node orb provides common node-related configuration 11 | 12 | version: 2.1 13 | jobs: 14 | codeql: 15 | docker: 16 | - image: 'cimg/base:2021.05' 17 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 18 | steps: 19 | - checkout: { path: "my-app" } # checkout codebase in own directory, separate from codeql cli bundle so it does not analyze itself 20 | - node/install 21 | - run: 22 | # OPTIONAL: Download CodeQL CLI Bundle 23 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 24 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 25 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 26 | name: Download CodeQL CLI 27 | command: | 28 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O codeql-bundle-win64.tar.gz 29 | tar xzvf codeql-bundle-win64.tar.gz 30 | del codeql-bundle-win64.tar.gz 31 | set PATH=%cd%\codeql;%PATH% 32 | # Make a note of the current directory here and use that for \path\to\cli in subsequent stages 33 | # You can add the extracted codeql bundle to your PATH. Ex: PATH=\path\to\cli:$PATH 34 | - run: 35 | # Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | name: Create CodeQL Database 40 | # REF command: ''\path\to\cli\codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 41 | command: | 42 | mkdir codeql-dbs 43 | .\codeql\codeql.exe database create .\codeql-dbs\repo-db --language=javascript --source-root=.\my-app 44 | - run: 45 | # Analyze CodeQL Database 46 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 47 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 48 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 49 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 50 | name: Analyze CodeQL Database 51 | # REF command: '\path\to\cli\codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | command: | 53 | cd codeql && mkdir temp 54 | .\codeql.exe database analyze ..\codeql-dbs\repo-db javascript-code-scanning.qls --format=sarif-latest --output=.\temp\results-js.sarif 55 | 56 | # Upload results to GitHub 57 | 58 | # Uploads a SARIF file to GitHub code scanning. 59 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 60 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 61 | # This token must have the security\_events scope. 62 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 63 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 64 | # REF command: '\path\to\cli\codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 65 | 66 | # Since CircleCI does not track the github event reference in a single variable, we need to do an if/else to push right context back for pull requests vs branch commits 67 | - when: 68 | condition: ${CIRCLE_PULL_REQUEST} 69 | steps: 70 | - run: 'echo $GITHUB_TOKEN | .\codeql\codeql.exe github upload-results --repository=org/example-app --ref=refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --commit=$CIRCLE_SHA1 --sarif=.\codeql\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 71 | - unless: 72 | condition: ${CIRCLE_PULL_REQUEST} 73 | steps: 74 | - run: 'echo $GITHUB_TOKEN | .\codeql\codeql.exe github upload-results --repository=org/example-app --ref=refs/heads/${CIRCLE_BRANCH} --commit=$CIRCLE_SHA1 --sarif=.\codeql\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 75 | 76 | workflows: 77 | version: 2 78 | codeql-analysis: 79 | jobs: 80 | - codeql 81 | -------------------------------------------------------------------------------- /CircleCI/README.md: -------------------------------------------------------------------------------- 1 | # CircleCI 2 | 3 | ## Tips, Tricks, and Cautions 4 | 5 | Here is a few tips and tricks for CircleCI along with some things to be aware of. 6 | 7 | ### Error 137 8 | 9 | In CircleCI you might hit an error reported by CircleCI named "Error 137". 10 | This is because if the CI job uses over its allocated memory of the machine, CircleCI will kill the process automatically. 11 | 12 | To prevent this, restrict the CodeQL process RAM usage by adding the `--ram` argument: 13 | 14 | ```bash 15 | codeql database analyze \ 16 | --ram 7000 17 | ``` 18 | 19 | CodeQL comes with some overhead on top of the value set (plus over processes could be running) so add padding to this value is recommended. 20 | -------------------------------------------------------------------------------- /DroneCI/CodeQL-Docker.yml: -------------------------------------------------------------------------------- 1 | name: CodeQL 2 | kind: pipeline 3 | type: docker 4 | 5 | steps: 6 | - name: analysis 7 | # This container is maintained by @GeekMasher (GitHub staff). 8 | # It is recommended to fork and maintain an internal version of this image or 9 | # have an internal version. 10 | image: ghcr.io/geekmasher/codeql-docker:main 11 | # CodeQL need to write its database to disk and this is an easy way to support 12 | # that. 13 | user: root 14 | environment: 15 | # Repository org/name 16 | GITHUB_REPOSITORY: octodemo/advanced-security-python 17 | # Set the language that CodeQL will Analyse 18 | CODEQL_LANGUAGE: python 19 | # You will need an access token to push the SARIF file into GitHub 20 | GITHUB_TOKEN: 21 | from_secret: GITHUB_TOKEN 22 | 23 | commands: 24 | # Test CodeQL is present in the container and what version is running 25 | - codeql --version 26 | 27 | # Initialize and Create the CodeQL Database 28 | # This will try to use the autobuilder for compiled languages, or create the database for interpreted languages 29 | - codeql database create --language="$CODEQL_LANGUAGE" .codeql-database 30 | 31 | # To supply a manual build command, you can comment the line above out and instead use the following command, 32 | # replacing "make" with your build command. 33 | # codeql database create --language="$CODEQL_LANGUAGE" .codeql-database --command="make" 34 | 35 | # Analyse the code inside the database and generate the SARIF output. 36 | - codeql database analyze 37 | --format="sarif-latest" 38 | --output=".codeql-results.sarif" 39 | .codeql-database $CODEQL_LANGUAGE-code-scanning.qls 40 | 41 | # Uploading the results to GitHub. 42 | - codeql github upload-results 43 | -r "$GITHUB_REPOSITORY" 44 | -g "https://github.com" 45 | -f "refs/heads/$(git rev-parse --abbrev-ref HEAD)" 46 | -c "$(git rev-parse HEAD)" 47 | -s ".codeql-results.sarif" 48 | -------------------------------------------------------------------------------- /DroneCI/README.md: -------------------------------------------------------------------------------- 1 | # Drone CI 2 | 3 | To get CodeQL to work with Drone, you need to have a Docker image of the CodeQL Bundle installed into the image along with all your required build tools (dotnet, java, python, etc.). 4 | 5 | ## Requirements 6 | 7 | - [CodeQL Bundle](https://github.com/github/codeql-action/releases) 8 | - [GitHub PAT to push results back to GitHub Advanced Security](https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#uploading-results-to-github) 9 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Linux environment 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 31 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 32 | sh "rm ../codeql-bundle-linux64.tar.gz" 33 | sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 34 | } 35 | } 36 | 37 | // Create CodeQL Database 38 | // Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 39 | // Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 40 | // and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 41 | // Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 42 | stage('Create CodeQL Database') { 43 | steps { 44 | sh "/path/to/cli/codeql database create [--language=[,...]] [--github-auth-stdin] [--github-url=] [--source-root=] [--threads=] [--ram=] [--command=] [--mode=] [--extractor-option=] ... -- " 45 | // example: sh "../codeql/codeql database create /codeql-dbs/repo-db --language=javascript --source-root /checkouts/my-repo" 46 | } 47 | } 48 | 49 | 50 | // Analyze CodeQL Database 51 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 52 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 53 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 54 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 55 | stage('Analyze CodeQL Database') { 56 | steps { 57 | sh "/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 58 | // example: sh "../codeql/codeql database analyze /codeql-dbs/repo-db javascript-security-and-quality.qls --format=sarif-latest --output=./temp/results-js.sarif" 59 | } 60 | } 61 | 62 | // Upload results to GitHub 63 | // Uploads a SARIF file to GitHub code scanning. 64 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 65 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 66 | // This token must have the security\_events scope. 67 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 68 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 69 | stage('Upload results to GitHub') { 70 | steps { 71 | sh "/path/to/cli/codeql github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 72 | // example: sh "../codeql/codeql github upload-results --sarif=./temp/results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 73 | } 74 | } 75 | 76 | // Other stages go here 77 | 78 | } 79 | 80 | } -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux-multibranch: -------------------------------------------------------------------------------- 1 | def isPRBuild() { 2 | return (BRANCH_NAME ==~ /^PR-\d+$/) 3 | } 4 | 5 | def getPRNumber() { 6 | def matcher = (BRANCH_NAME =~ /^PR-(?\d+)$/) 7 | assert matcher.matches() 8 | return matcher.group('PR') 9 | } 10 | 11 | def getPRRef() { 12 | return isPRBuild() ? "refs/pull/${getPRNumber()}/${GITHUB_PR_REF_TYPE}" : "refs/heads/${BRANCH_NAME}" 13 | } 14 | 15 | pipeline { 16 | 17 | agent any 18 | 19 | environment { 20 | // The Jenkins Credentials ID (as a secret text credential) for your GitHub PAT. 21 | GITHUB_CREDS = credentials('github-pat-as-secret-text') 22 | // The repo default branch name 23 | DEFAULT_BRANCH = 'main' 24 | // The type of ref that will be checked out for a job initiated by a GitHub PR. 'merge' for the default PR merge commit, 'head' for the head of the branch being merged. 25 | GITHUB_PR_REF_TYPE = 'head' 26 | PR_REF = getPRRef() 27 | // The name of the GitHub repository to run the analysis on 28 | GITHUB_REPO = 'example/java-app' 29 | MAVEN_ARGS = '-batch-mode --no-transfer-progress' 30 | MAVEN_OPTS = '-Dmaven.test.skip=true' 31 | // See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed 32 | // for supported languages. 33 | // For Java and Kotlin use 'java', for JavaScript and TypeScript use 'javascript', for C and C++ use 'cpp'. 34 | CODEQL_LANGUAGE = 'java' 35 | // See https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create#--build-modemode for build mode options 36 | CODEQL_BUILD_MODE = 'manual' 37 | CODEQL_BUILD_COMMAND = './mvnw clean package' 38 | CODEQL_QUERY_SUITE = "codeql/${CODEQL_LANGUAGE}-queries:codeql-suites/${CODEQL_LANGUAGE}-security-extended.qls" 39 | // CODEQL_BUNDLE_URL = 'https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz' 40 | // Path to CodeQL bundle folder. If using the curl download option below this is the extraction location. 41 | // It is recommended to provide CodeQL via a pre-populated tool cache directory rather than download during the pipeline execution. 42 | CODEQL_DIR = '/tools/codeql' 43 | // Memory limit for CodeQL, this must be set to less than the pod limit if running in Kubernetes, approx 80% of the limit is appropriate. 44 | CODEQL_MEMORY = '3276' 45 | // The Dependency Submission Action executable archive 46 | // See https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml?query=branch:main for the latest version. 47 | // Latest at last edit: https://github.com/advanced-security/maven-dependency-submission-action/actions/runs/8876993169/artifacts/1456204717 48 | // DEPENDENCY_SUBMISSION_EXECUTABLES_URL = 'https://api.github.com/repos/advanced-security/maven-dependency-submission-action/actions/artifacts/1456204717/zip' 49 | // The Dependency Submission Action executable 50 | // See https://github.com/advanced-security/maven-dependency-submission-action#command-line-usage for options 51 | DEPENDENCY_SUBMISSION_EXECUTABLE = '/tools/dep-submission/maven-dependency-submission-action-linux' 52 | } 53 | 54 | stages { 55 | stage('Run security analysis') { 56 | parallel { 57 | stage('Run CodeQL analysis') { 58 | when { 59 | anyOf { 60 | branch DEFAULT_BRANCH 61 | expression { CHANGE_ID != null && CHANGE_AUTHOR != 'dependabot[bot]'} 62 | } 63 | } 64 | steps { 65 | script { 66 | // sh 'rm -rf ${CODEQL_DIR} && mkdir -p ${CODEQL_DIR}' 67 | // sh 'curl -L -sS -o codeql-bundle.tar.gz -s ${CODEQL_BUNDLE_URL}' 68 | // sh 'tar --strip-components=1 -xzf codeql-bundle.tar.gz -C ${CODEQL_DIR}/' 69 | // sh 'rm codeql-bundle.tar.gz' 70 | sh '${CODEQL_DIR}/codeql database create ./codeql-db \ 71 | --ram ${CODEQL_MEMORY} \ 72 | --language ${CODEQL_LANGUAGE} \ 73 | --overwrite \ 74 | ${CODEQL_BUILD_MODE:+--build-mode} ${CODEQL_BUILD_MODE} \ 75 | ${CODEQL_BUILD_COMMAND:+--command} "${CODEQL_BUILD_COMMAND}"' 76 | sh '${CODEQL_DIR}/codeql database analyze ./codeql-db \ 77 | --ram ${CODEQL_MEMORY} \ 78 | --format=sarif-latest \ 79 | --output=codeql-results.sarif \ 80 | ${CODEQL_QUERY_SUITE}' 81 | sh 'echo $GITHUB_CREDS | ${CODEQL_DIR}/codeql github upload-results \ 82 | --github-auth-stdin \ 83 | --sarif=codeql-results.sarif \ 84 | --repository=${GITHUB_REPO} \ 85 | --ref=${PR_REF} \ 86 | --commit=${GIT_COMMIT}' 87 | } 88 | } 89 | } 90 | stage('Submit dependency snapshot') { 91 | when { 92 | anyOf { 93 | branch DEFAULT_BRANCH 94 | expression { CHANGE_ID != null } 95 | } 96 | } 97 | steps { 98 | // sh 'curl -L -s \ 99 | // -H "Accept: application/vnd.github+json" \ 100 | // -H "Authorization: Bearer ${GITHUB_CREDS}" \ 101 | // -H "X-GitHub-Api-Version: 2022-11-28" \ 102 | // ${DEPENDENCY_SUBMISSION_EXECUTABLES_URL} \ 103 | // -o executables.zip' 104 | // sh 'unzip executables.zip' 105 | // sh 'chmod +x ./${DEPENDENCY_SUBMISSION_EXECUTABLE}' 106 | sh 'PATH="./:${PATH}" ${DEPENDENCY_SUBMISSION_EXECUTABLE} \ 107 | -r ${GITHUB_REPO} \ 108 | -t ${GITHUB_CREDS} \ 109 | -b ${PR_REF} \ 110 | -s ${GIT_COMMIT}' 111 | } 112 | } 113 | } 114 | } 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux-with-indirect-build-tracing: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Linux environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 31 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 32 | sh "rm ../codeql-bundle-linux64.tar.gz" 33 | } 34 | } 35 | 36 | stage('Build and analyze code') { 37 | // Put CodeQL on the PATH 38 | steps { 39 | sh "export PATH=/path/to/cli:$PATH" 40 | // example: sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 41 | } 42 | 43 | // Initialize CodeQL 44 | // Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 45 | // Prior to running any build commands, the generated scripts containing environment variables must be sourced. 46 | // Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 47 | steps { 48 | sh "/path/to/cli/codeql init --source-root= [--language=[,...]] [--github-auth-stdin] [--github-url=] --begin-tracing " 49 | // example: sh "../codeql/codeql init --source-root /checkouts/my-repo --language=java --begin-tracing /codeql-dbs/repo-db" 50 | } 51 | 52 | // Source environment variables 53 | // Set the generated environment variables so they are available for subsequent commands 54 | // Note that we are sourcing the script using '. /path/to/script.sh'. This is DIFFERENT than executing the script using './path/to/script.sh' 55 | // Executing the script would do so in a new shell, and any variables set in that shell would not be available in subsequent calls in our current shell 56 | // By sourcing the script, all variables are set in our current shell, and will be available for later stages 57 | steps { 58 | sh ". /path/to/script.sh" 59 | // example: sh ". /codeql-dbs/repo-db/temp/tracingEnvironment/start-tracing.sh" 60 | } 61 | 62 | // Run build commands 63 | // In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 64 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 65 | steps { 66 | sh "mvn clean install -DskipTests=true -s settings/settings.xml" 67 | } 68 | 69 | // Finalize CodeQL Database 70 | // Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 71 | // This needs to happen before the new database can be queried. 72 | // Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 73 | steps { 74 | sh "/path/to/cli/codeql database finalize [--dbscheme=] [--threads=] [--ram=] [--mode=] ... -- " 75 | // example: sh "../codeql/codeql database finalize /codeql-dbs/repo-db" 76 | } 77 | 78 | // Analyze CodeQL Database 79 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 80 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 81 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 82 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 83 | steps { 84 | sh "/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 85 | // example: sh "../codeql/codeql database analyze /codeql-dbs/repo-db java-security-and-quality.qls --format=sarif-latest --output=./temp/results-java.sarif" 86 | } 87 | } 88 | 89 | // Upload results to GitHub 90 | // Uploads a SARIF file to GitHub code scanning. 91 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 92 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 93 | // This token must have the security\_events scope. 94 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 95 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 96 | stage('Upload results to GitHub') { 97 | steps { 98 | sh "/path/to/cli/codeql github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 99 | // example: sh "../codeql/codeql github upload-results --sarif=./temp/results-java.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 100 | } 101 | } 102 | 103 | // Other stages go here 104 | 105 | } 106 | 107 | } -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-windows: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Windows environment 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz" 31 | sh "tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\" 32 | sh "del ..\codeql-bundle-win64.tar.gz" 33 | sh "cd ..\; set PATH=%cd%\codeql;%PATH%" 34 | } 35 | } 36 | 37 | // Create CodeQL Database 38 | // Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 39 | // Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 40 | // and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 41 | // Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 42 | stage('Create CodeQL Database') { 43 | steps { 44 | sh "\path\to\cli\codeql.exe database create [--language=[,...]] [--github-auth-stdin] [--github-url=] [--source-root=] [--threads=] [--ram=] [--command=] [--mode=] [--extractor-option=] ... -- " 45 | // example: sh "..\codeql\codeql.exe database create \codeql-dbs\repo-db --language=javascript --source-root \checkouts\my-repo" 46 | } 47 | } 48 | 49 | 50 | // Analyze CodeQL Database 51 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 52 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 53 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 54 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 55 | stage('Analyze CodeQL Database') { 56 | steps { 57 | sh "\path\to\cli\codeql.exe database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 58 | // example: sh "..\codeql\codeql.exe database analyze \codeql-dbs\repo-db javascript-security-and-quality.qls --format=sarif-latest --output=.\temp\results-js.sarif" 59 | } 60 | } 61 | 62 | // Upload results to GitHub 63 | // Uploads a SARIF file to GitHub code scanning. 64 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 65 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 66 | // This token must have the security\_events scope. 67 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 68 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 69 | stage('Upload results to GitHub') { 70 | steps { 71 | sh "\path\to\cli\codeql.exe github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 72 | // example: sh "..\codeql\codeql.exe github upload-results --sarif=.\temp\results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 73 | } 74 | } 75 | 76 | // Other stages go here 77 | 78 | } 79 | 80 | } -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-windows-with-indirect-build-tracing: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Windows environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz" 31 | sh "tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\" 32 | sh "del ..\codeql-bundle-win64.tar.gz" 33 | } 34 | } 35 | 36 | stage('Build and analyze code') { 37 | // Put CodeQL on the PATH 38 | steps { 39 | sh "set PATH=\path\to\cli;%PATH%" 40 | // example: sh "cd ..\; set PATH=%cd%\codeql;%PATH%" 41 | } 42 | 43 | // Initialize CodeQL 44 | // Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 45 | // Prior to running any build commands, the generated scripts containing environment variables must be sourced. 46 | // Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 47 | steps { 48 | sh "\path\to\cli\codeql.exe init --source-root= [--language=[,...]] [--github-auth-stdin] [--github-url=] --begin-tracing " 49 | // example: sh "..\codeql\codeql.exe init --source-root \checkouts\my-repo --language=java --begin-tracing \codeql-dbs\repo-db" 50 | } 51 | 52 | // Source environment variables 53 | // Set the generated environment variables so they are available for subsequent commands 54 | steps { 55 | sh "\path\to\script.bat" 56 | // example: sh "\codeql-dbs\repo-db\temp\tracingEnvironment\start-tracing.bat" 57 | } 58 | 59 | // Run build commands 60 | // In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 61 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 62 | steps { 63 | sh "mvn clean install -DskipTests=true -s settings\settings.xml" 64 | } 65 | 66 | // Finalize CodeQL Database 67 | // Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 68 | // This needs to happen before the new database can be queried. 69 | // Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 70 | steps { 71 | sh "\path\to\cli\codeql.exe database finalize [--dbscheme=] [--threads=] [--ram=] [--mode=] ... -- " 72 | // example: sh "..\codeql\codeql.exe database finalize \codeql-dbs\repo-db" 73 | } 74 | 75 | // Analyze CodeQL Database 76 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 77 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 78 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 79 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 80 | steps { 81 | sh "\path\to\cli\codeql.exe database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 82 | // example: sh "..\codeql\codeql.exe database analyze \codeql-dbs\repo-db java-security-and-quality.qls --format=sarif-latest --output=.\temp\results-java.sarif" 83 | } 84 | } 85 | 86 | // Upload results to GitHub 87 | // Uploads a SARIF file to GitHub code scanning. 88 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 89 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 90 | // This token must have the security\_events scope. 91 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 92 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 93 | stage('Upload results to GitHub') { 94 | steps { 95 | sh "\path\to\cli\codeql.exe github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 96 | // example: sh "..\codeql\codeql github upload-results --sarif=.\temp\results-java.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 97 | } 98 | } 99 | 100 | // Other stages go here 101 | 102 | } 103 | 104 | } -------------------------------------------------------------------------------- /Jenkins/ReadMes/Jenkinsfile-template-linux-multibranch.md: -------------------------------------------------------------------------------- 1 | # Jenkins Pipeline for Security Analysis 2 | 3 | This Jenkins pipeline script is designed to perform security analysis on a Java project using CodeQL and submit a dependency snapshot. The script is written in Groovy and is designed to be used with Jenkins' Pipeline plugin. 4 | 5 | ## Functions 6 | 7 | The script defines several helper functions: 8 | 9 | - `isPRBuild()`: Checks if the current build is for a pull request. 10 | - `getPRNumber()`: Extracts the pull request number from the branch name. 11 | - `getPRRef()`: Returns the Git reference for the pull request or branch being built. 12 | 13 | ## Environment Variables 14 | 15 | The script sets several environment variables: 16 | 17 | - `GITHUB_CREDS`: The Jenkins Credentials ID for your GitHub PAT credential. 18 | - `DEFAULT_BRANCH`: The default branch name of the repository. 19 | - `GITHUB_PR_REF_TYPE`: The type of ref that will be checked out for a job initiated by a GitHub PR. 20 | - `GITHUB_REPO`: The name of the GitHub repository to run the analysis on. 21 | - `CODEQL_LANGUAGE`: The programming language of the project. 22 | - `CODEQL_BUILD_COMMAND`: The command to build the project. 23 | - `CODEQL_QUERY_SUITE`: The CodeQL query suite to use for the analysis. 24 | - `DEPENDENCY_SUBMISSION_EXECUTABLES_URL`: The URL to download the Dependency Submission Action executable archive. 25 | - `DEPENDENCY_SUBMISSION_EXECUTABLE`: The Dependency Submission Action executable. 26 | - `PR_REF`: The Git reference for the pull request or branch being built. 27 | 28 | ## Stages 29 | 30 | The pipeline consists of a single stage, "Run security analysis", which contains two parallel stages: 31 | 32 | - "Run CodeQL analysis": This stage creates a CodeQL database for the project, analyzes the database, and uploads the results to GitHub. 33 | - "Submit dependency snapshot": This stage downloads the Dependency Submission Action executable, makes it executable, and runs it to submit a dependency snapshot. 34 | 35 | ## When to Run 36 | 37 | The stages are configured to run under certain conditions: 38 | 39 | - The "Run CodeQL analysis" stage runs if the current branch is the default branch or if the change was not made by Dependabot. 40 | - The "Submit dependency snapshot" stage runs if the current branch is the default branch or if there is a change ID. 41 | 42 | ## Steps 43 | 44 | Each stage consists of several steps, which are shell commands to be executed in the Jenkins environment. These commands perform the actual work of the stage, such as running the CodeQL analysis or submitting the dependency snapshot. 45 | 46 | ### Mermaid Diagram 47 | 48 | ```mermaid 49 | graph TD 50 | A[Start] 51 | B{isPRBuild} 52 | C[getPRNumber] 53 | D[getPRRef] 54 | E[Environment Setup] 55 | F{Run security analysis} 56 | G{Run CodeQL analysis} 57 | H{Submit dependency snapshot} 58 | I[End] 59 | A --> B 60 | B --> C 61 | C --> D 62 | D --> E 63 | E --> F 64 | F --> G 65 | F --> H 66 | G --> I 67 | H --> I 68 | ``` 69 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright GitHub 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /PRIVACY.md: -------------------------------------------------------------------------------- 1 | # Privacy Policy 2 | 3 | These pipelines upload to GitHub Code Scanning, hosted on `github.com`. 4 | 5 | Please see the [GitHub Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement) for GitHub's overall GitHub privacy policy. 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sample pipeline files for using CodeQL in popular CI/CD systems 2 | 3 | > ℹ️ This is an _unofficial_ project created by Field Security Services, and is not officially supported by GitHub. 4 | 5 | This repository shows how to integrate CodeQL into various CI/CD systems, using the CodeQL CLI Bundle for Automated Code Scanning, in example pipeline configuration files. 6 | 7 | These are supplementary to the GitHub.com docs on [setting up CodeQL code scanning in your CI system](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system). 8 | 9 | The CI/CD systems covered here are Jenkins, Azure Pipelines, CircleCI, TravisCI, AWS CodeBuild and DroneCI. 10 | 11 | GitHub Actions is natively supported by GitHub Advanced Security, so use the instructions in the [GitHub.com docs to set up CodeQL for your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning). 12 | 13 | For each CI/CD system a template is provided for both Windows and Linux. 14 | 15 | There are examples/guidance for: 16 | 17 | 1. automatic builds for compiled languages using the AutoBuilder (with no `--command` flag) 18 | 2. manual builds for compiled languages with a `--command` flag 19 | 3. analysis of interpreted languages (which don't need a build) 20 | 4. (for Azure and Jenkins) an advanced example using indirect build tracing ("sandwich mode") wrapped around manually specified build commands 21 | 22 | > ℹ️ This is an _unofficial_ project created by Field Security Services, and is not officially supported by GitHub. 23 | 24 | ## Requirements 25 | 26 | > ℹ️ You must be using GitHub Advanced Security to use these pipeline files. If you are not using GitHub Advanced Security, please see the [GitHub Advanced Security website](https://github.com/features/security) for more information. 27 | 28 | 1. A CI/CD pipeline using one of: 29 | * AWS CodeBuild 30 | * Azure Pipelines 31 | * CircleCI 32 | * DroneCI 33 | * Jenkins 34 | * TravisCI 35 | 2. The [CodeQL Bundle](https://github.com/github/codeql-action/releases) installed in the CI/CD pipeline 36 | 3. [GitHub PAT to push results back to GitHub Advanced Security](https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#uploading-results-to-github) 37 | 38 | ## Usage 39 | 40 | 1. [Download and install the CodeQL Bundle in your CI system](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system), testing that it works 41 | 2. Copy the relevant pipeline file from this repository into your repository 42 | 3. [Update the pipeline file with your required settings](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system) 43 | * read the [creating CodeQL database documentation for help](https://codeql.github.com/docs/codeql-cli/manual/database-create/) 44 | * the [full CodeQL CLI documentation](https://docs.github.com/en/enterprise-cloud@latest/code-security/codeql-cli/using-the-codeql-cli/about-the-codeql-cli) may also be useful 45 | 46 | ## License 47 | 48 | This project is licensed under the terms of the MIT open source license. Please refer to the [LICENSE](LICENSE) for the full terms. 49 | 50 | ## Maintainers 51 | 52 | See [CODEOWNERS](CODEOWNERS) for the list of maintainers. 53 | 54 | ## Support 55 | 56 | See the [SUPPORT](SUPPORT.md) file. 57 | 58 | ## Background 59 | 60 | See the [CHANGELOG](CHANGELOG.md), [CONTRIBUTING](CONTRIBUTING.md), [SECURITY](SECURITY.md), [SUPPORT](SUPPORT.md), [CODE OF CONDUCT](CODE_OF_CONDUCT.md) and [PRIVACY](PRIVACY.md) files for more information. 61 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | Thanks for helping make GitHub safe for everyone. 4 | 5 | GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). 6 | 7 | Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 8 | 9 | ## Reporting Security Issues 10 | 11 | If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. 12 | 13 | **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** 14 | 15 | Instead, please send an email to opensource-security[@]github.com. 16 | 17 | Please include as much of the information listed below as you can to help us better understand and resolve the issue: 18 | 19 | * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) 20 | * Full paths of source file(s) related to the manifestation of the issue 21 | * The location of the affected source code (tag/branch/commit or direct URL) 22 | * Any special configuration required to reproduce the issue 23 | * Step-by-step instructions to reproduce the issue 24 | * Proof-of-concept or exploit code (if possible) 25 | * Impact of the issue, including how an attacker might exploit the issue 26 | 27 | This information will help us triage your report more quickly. 28 | 29 | ## Policy 30 | 31 | See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) 32 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue. 6 | 7 | For help or questions about using this project, please open a discussion. 8 | 9 | This repository is maintained by GitHub Field Security Specialist staff. We will do our best to respond to support, feature requests, and community questions in a timely manner. 10 | 11 | ## GitHub Support Policy 12 | 13 | Support for this project is limited to the resources listed above. 14 | -------------------------------------------------------------------------------- /Tekton/codeql-task.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Task 3 | metadata: 4 | name: codeql 5 | annotations: 6 | tekton.dev/platforms: "linux/amd64" 7 | spec: 8 | description: Analyse code with CodeQL 9 | params: 10 | - name: build-image 11 | type: string 12 | description: The image to use for building the project. 13 | - name: repo 14 | type: string 15 | description: The short name for the repository, e.g. ctcampbellcom/webgoat. 16 | default: "" 17 | - name: ref 18 | type: string 19 | description: The git ref of the checked out source. 20 | default: "" 21 | - name: commit-sha 22 | type: string 23 | description: The git commit SHA of the checked out source. 24 | default: "" 25 | - name: source-path-dir 26 | type: string 27 | description: The path to the source code directory relative to the checkout root. 28 | default: "." 29 | - name: codeql-download-url 30 | type: string 31 | description: The download URL for the CodeQL bundle. 32 | default: "https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz" 33 | - name: codeql-bin-path 34 | type: string 35 | description: The download location for the CodeQL binary folder. 36 | default: $(workspaces.source.path)/codeql-bin 37 | - name: codeql-language 38 | type: string 39 | description: The language to analyse. 40 | - name: codeql-build-command 41 | type: string 42 | description: The command to build the project. 43 | default: "" 44 | - name: codeql-query-suite 45 | type: string 46 | description: The query suite to use. 47 | default: $(params.codeql-language)-code-scanning 48 | - name: codeql-init-extra-args 49 | type: string 50 | description: Extra arguments to pass to the CodeQL CLI init command. 51 | default: "" 52 | - name: codeql-analyze-extra-args 53 | type: string 54 | description: Extra arguments to pass to the CodeQL CLI analyze command. 55 | default: "" 56 | - name: codeql-upload-extra-args 57 | type: string 58 | description: Extra arguments to pass to the CodeQL CLI upload command. 59 | default: "" 60 | - name: github-token-secret-name 61 | type: string 62 | description: Kubernetes secret name to use for uploading results. 63 | default: github-token 64 | - name: github-token-secret-key 65 | type: string 66 | description: Kubernetes secret key to use for uploading results. 67 | default: github-token 68 | workspaces: 69 | - name: source 70 | steps: 71 | - name: init-build-analyse 72 | image: $(params.build-image) 73 | env: 74 | - name: SOURCE_PATH 75 | value: $(workspaces.source.path) 76 | - name: SOURCE_PATH_DIR 77 | value: $(params.source-path-dir) 78 | - name: REPO 79 | value: $(params.repo) 80 | - name: REF 81 | value: $(params.ref) 82 | - name: COMMIT_SHA 83 | value: $(params.commit-sha) 84 | - name: CODEQL_DOWNLOAD_URL 85 | value: $(params.codeql-download-url) 86 | - name: CODEQL_PATH 87 | value: $(params.codeql-bin-path) 88 | - name: CODEQL_LANGUAGE 89 | value: $(params.codeql-language) 90 | - name: CODEQL_BUILD_COMMAND 91 | value: $(params.codeql-build-command) 92 | - name: CODEQL_INIT_EXTRA_ARGS 93 | value: $(params.codeql-init-extra-args) 94 | - name: CODEQL_ANALYZE_EXTRA_ARGS 95 | value: $(params.codeql-analyze-extra-args) 96 | - name: CODEQL_UPLOAD_EXTRA_ARGS 97 | value: $(params.codeql-upload-extra-args) 98 | - name: CODEQL_QUERY_SUITE 99 | value: $(params.codeql-query-suite) 100 | - name: CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS 101 | value: "true" 102 | - name: GITHUB_TOKEN 103 | valueFrom: 104 | secretKeyRef: 105 | name: $(params.github-token-secret-name) 106 | key: $(params.github-token-secret-key) 107 | script: | 108 | #!/usr/bin/env bash 109 | set -ex 110 | rm -rf $CODEQL_PATH && mkdir $CODEQL_PATH 111 | wget -nv $CODEQL_DOWNLOAD_URL -O codeql-bundle.tar.gz 112 | tar -zxf codeql-bundle.tar.gz -C $CODEQL_PATH --strip-components=1 113 | rm codeql-bundle.tar.gz 114 | cd $SOURCE_PATH 115 | $CODEQL_PATH/codeql database create ./codeql-db \ 116 | --language=$CODEQL_LANGUAGE \ 117 | --overwrite \ 118 | --working-dir=$SOURCE_PATH_DIR \ 119 | ${CODEQL_BUILD_COMMAND:+--command="""$CODEQL_BUILD_COMMAND"""} \ 120 | $CODEQL_INIT_EXTRA_ARGS 121 | $CODEQL_PATH/codeql database analyze ./codeql-db \ 122 | --format=sarif-latest \ 123 | --output=codeql-results.sarif \ 124 | $CODEQL_QUERY_SUITE \ 125 | $CODEQL_ANALYZE_EXTRA_ARGS 126 | $CODEQL_PATH/codeql github upload-results \ 127 | --sarif=codeql-results.sarif \ 128 | ${COMMIT_SHA:+--commit=$COMMIT_SHA} \ 129 | ${REF:+--ref=$REF} \ 130 | ${REPO:+--repository=$REPO} \ 131 | $CODEQL_UPLOAD_EXTRA_ARGS 132 | rm -rf $CODEQL_PATH 133 | 134 | -------------------------------------------------------------------------------- /Tekton/example-pipeline.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Pipeline 3 | metadata: 4 | name: webgoat-clone-and-codeql-analyse 5 | spec: 6 | description: | 7 | This pipeline clones a git repo, then analyses it with CodeQL. 8 | params: 9 | - name: build-image 10 | type: string 11 | description: The image to use for building the project. 12 | default: eclipse-temurin:17-jdk 13 | - name: ref 14 | type: string 15 | description: The git ref to check out. 16 | default: "refs/heads/main" 17 | - name: codeql-language 18 | type: string 19 | description: The language to analyse. 20 | default: java 21 | - name: codeql-build-command 22 | type: string 23 | description: The command to build the project. 24 | default: ./mvnw clean package -f "pom.xml" -B -V -e -ntp -DskipTests -Dspotless.check.skip=true 25 | - name: codeql-query-suite 26 | type: string 27 | description: The query suite to use. 28 | default: java-code-scanning 29 | - name: codeql-init-extra-args 30 | type: string 31 | description: Extra arguments to pass to the CodeQL CLI init command. 32 | default: "" 33 | - name: codeql-analyze-extra-args 34 | type: string 35 | description: Extra arguments to pass to the CodeQL CLI analyze command. 36 | default: "" 37 | - name: codeql-upload-extra-args 38 | type: string 39 | description: Extra arguments to pass to the CodeQL CLI upload command. 40 | default: "" 41 | workspaces: 42 | - name: shared-data 43 | description: This workspace contains the cloned repo files, so they can be read by the next task. 44 | tasks: 45 | - name: git-clone 46 | taskRef: 47 | name: git-clone 48 | workspaces: 49 | - name: output 50 | workspace: shared-data 51 | params: 52 | - name: url 53 | value: https://github.com/ctcampbellcom/webgoat-in-a-folder 54 | - name: revision 55 | value: $(params.ref) 56 | - name: codeql 57 | runAfter: 58 | - git-clone 59 | taskRef: 60 | name: codeql 61 | workspaces: 62 | - name: source 63 | workspace: shared-data 64 | params: 65 | - name: build-image 66 | value: $(params.build-image) 67 | - name: repo 68 | value: ctcampbellcom/webgoat-in-a-folder 69 | - name: ref 70 | value: $(params.ref) 71 | - name: commit-sha 72 | value: $(tasks.git-clone.results.commit) 73 | - name: source-path-dir 74 | value: webgoat 75 | - name: codeql-language 76 | value: $(params.codeql-language) 77 | - name: codeql-build-command 78 | value: $(params.codeql-build-command) 79 | - name: codeql-query-suite 80 | value: $(params.codeql-query-suite) 81 | - name: codeql-init-extra-args 82 | value: $(params.codeql-init-extra-args) 83 | - name: codeql-analyze-extra-args 84 | value: $(params.codeql-analyze-extra-args) 85 | - name: codeql-upload-extra-args 86 | value: $(params.codeql-upload-extra-args) 87 | -------------------------------------------------------------------------------- /Tekton/example-pipelinerun.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: PipelineRun 3 | metadata: 4 | generateName: webgoat-clone-and-codeql-analyse-run- 5 | spec: 6 | pipelineRef: 7 | name: webgoat-clone-and-codeql-analyse 8 | podTemplate: 9 | securityContext: 10 | fsGroup: 65532 11 | taskRunSpecs: 12 | - pipelineTaskName: codeql 13 | stepOverrides: 14 | - name: init-build-analyse 15 | resources: 16 | limits: 17 | memory: 4Gi 18 | requests: 19 | memory: 4Gi 20 | workspaces: 21 | - name: shared-data 22 | volumeClaimTemplate: 23 | spec: 24 | accessModes: 25 | - ReadWriteOnce 26 | resources: 27 | requests: 28 | storage: 1Gi 29 | params: 30 | - name: codeql-init-extra-args 31 | value: --ram=3500 32 | - name: codeql-analyze-extra-args 33 | value: --ram=3500 -------------------------------------------------------------------------------- /TravisCI/TravisCI-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | language: node_js 10 | node_js: 11 | - "7" 12 | 13 | arch: amd64 14 | os: linux 15 | dist: focal 16 | 17 | cache: npm 18 | 19 | branches: 20 | only: 21 | - main 22 | 23 | install: 24 | - npm i 25 | 26 | script: 27 | # STEP 1 (OPTIONAL): Download CodeQL CLI Bundle 28 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 29 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 30 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 31 | - cd $HOME # Change to home directory to download CLI because if you unzip CodeQL CLI Bundle inside the source directory ($TRAVIS_BUILD_DIR) where repo is cloned it will analyze itself 32 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz 33 | - tar xzf codeql-bundle-linux64.tar.gz 34 | - cd codeql && chmod +x codeql && cd .. 35 | 36 | # STEP 2: Create CodeQL Database 37 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 38 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 39 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 40 | - mkdir codeql-dbs 41 | - ./codeql/codeql database create ./codeql-dbs/repo-db --language=javascript --source-root=$TRAVIS_BUILD_DIR 42 | # REF command: ''/path/to/cli/codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 43 | 44 | # STEP 3: Analyze CodeQL Database 45 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 46 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 47 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 48 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 49 | - cd codeql && mkdir temp 50 | - ./codeql database analyze ../codeql-dbs/repo-db javascript-code-scanning.qls --format=sarif-latest --output=./temp/results-js.sarif 51 | # REF command: '/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | 53 | # STEP 4: Upload Results to GitHub 54 | # Uploads a SARIF file to GitHub code scanning. 55 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 56 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 57 | # This token must have the security\_events scope. 58 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 59 | # Full documentation for github upload-re 60 | - echo $GITHUB_TOKEN | ./codeql github upload-results --repository=org/repo --ref=refs/heads/main --commit=$TRAVIS_COMMIT --sarif=./temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin 61 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' -------------------------------------------------------------------------------- /TravisCI/TravisCI-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Windows 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | language: node_js 10 | node_js: 11 | - "7" 12 | 13 | arch: amd64 14 | os: linux 15 | dist: focal 16 | 17 | cache: npm 18 | 19 | branches: 20 | only: 21 | - main 22 | 23 | install: 24 | - npm i 25 | 26 | script: 27 | # STEP 1 (OPTIONAL): Download CodeQL CLI Bundle 28 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 29 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 30 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 31 | - cd $HOME # Change to home directory to download CLI because if you unzip CodeQL CLI Bundle inside the source directory ($TRAVIS_BUILD_DIR) where repo is cloned it will analyze itself 32 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz 33 | - tar xzf codeql-bundle-linux64.tar.gz 34 | 35 | # STEP 2: Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | - mkdir codeql-dbs 40 | - .\codeql\codeql.exe database create .\codeql-dbs\repo-db --language=javascript --source-root=$TRAVIS_BUILD_DIR 41 | # REF command: ''\path\to\cli\codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 42 | 43 | # STEP 3: Analyze CodeQL Database 44 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 45 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 46 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 47 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 48 | - cd codeql && mkdir temp 49 | - .\codeql.exe database analyze ..\codeql-dbs\repo-db javascript-code-scanning.qls --format=sarif-latest --output=.\temp\results-js.sarif 50 | # REF command: '\path\to\cli\codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 51 | 52 | # STEP 4: Upload Results to GitHub 53 | # Uploads a SARIF file to GitHub code scanning. 54 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 55 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 56 | # This token must have the security\_events scope. 57 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 58 | # Full documentation for github upload-re 59 | - echo $GITHUB_TOKEN | .\codeql.exe github upload-results --repository=org/repo --ref=refs/heads/main --commit=$TRAVIS_COMMIT --sarif=.\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin 60 | # REF command: '\path\to\cli\codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' -------------------------------------------------------------------------------- /_deprecated/Azure-Pipelines-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL Runner 15 | # The example assumes a C# application built using Visual Studio Build 16 | 17 | trigger: 18 | branches: 19 | include: 20 | - '*' 21 | paths: 22 | exclude: 23 | - test/* 24 | - doc/* 25 | - lib/* 26 | include: 27 | - src/* 28 | resources: 29 | repositories: 30 | - repository: templates 31 | type: github 32 | name: octo-org/MyDevOpsTemplates 33 | endpoint: octo-org 34 | 35 | variables: 36 | - name: msbuildArgs 37 | value: /p:OutDir=$(Build.ArtifactStagingDirectory) /p:UseSharedCompilation=false 38 | 39 | stages: 40 | - stage: __default 41 | jobs: 42 | - job: Job 43 | workspace: 44 | clean: all 45 | steps: 46 | 47 | # Initialize the CodeQL Runner 48 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token. In this case, stored in a variable MyGitHubToken 49 | # In this example, the CodeQL CLI has been predownloaded and placed in a directory on the runner. If --codeql-path is ommitted, the runner will automatically download the CodeQL CLI 50 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 51 | # In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 52 | - task: CmdLine@1 53 | displayName: CodeQL Initialization 54 | inputs: 55 | script: "%CodeQLRunner%\\codeql-runner-win.exe init --repository octo-org/example-repo-2 --github-url https://github.com --github-auth $(MyGitHubToken) --codeql-path %CodeQLRunner%\\Bundle\\codeql\\codeql.exe --queries security-and-quality" 56 | 57 | # Set the generated environment variables so they are available for subsequent commands 58 | # We use a simple PowerShell script to set the appropriate variables required for Azure Pipelines 59 | - task: PowerShell@1 60 | displayName: Set CodeQL Environment Variables 61 | inputs: 62 | targetType: inline 63 | script: > 64 | $json = Get-Content $(System.DefaultWorkingDirectory)/codeql-runner/codeql-env.json | ConvertFrom-Json 65 | $json.PSObject.Properties | ForEach-Object { 66 | $template = "##vso[task.setvariable variable=" 67 | $template += $_.Name 68 | $template += "]" 69 | $template += $_.Value 70 | echo "$template" 71 | } 72 | 73 | # It is often required to perform certain pre-build tasks prior to executing the build. In this example, we restore our NuGet dependencies 74 | - task: NuGetCommand@1 75 | condition: and(succeeded(), eq('', '')) 76 | inputs: 77 | command: restore 78 | restoreSolution: '**/*.sln' 79 | displayName: Restore NuGet Dependencies 80 | 81 | # Execute the build. Note the msbuildArgs variable, which is configured above. We execute a clean build, in order to remove any existing build-artifacts prior to the build 82 | - task: VSBuild@1 83 | inputs: 84 | solution: '**/*.sln' 85 | msbuildArgs: $(msbuildArgs) 86 | platform: Any CPU 87 | configuration: Release 88 | clean: True 89 | displayName: Visual Studio Build 90 | 91 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 92 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token. In this case, stored in a variable MyGitHubToken 93 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 94 | # Once the analysis is done, the results will be uploaded to GitHub 95 | - task: CmdLine@2 96 | displayName: CodeQL Analyze 97 | inputs: 98 | script: '%CodeQLRunner%\codeql-runner-win.exe analyze --repository octo-org/example-repo-2 --commit $(Build.SourceVersion) --ref $(Build.SourceBranch) --github-url https://github.com --github-auth $(MyGitHubToken)' 99 | 100 | # Other tasks go here 101 | -------------------------------------------------------------------------------- /_deprecated/CircleCI-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL Runner 15 | # The example assumes a simple Java application built using Maven 16 | 17 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 18 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 19 | 20 | # GitHub Docs "Running CodeQL Runner in your CI system" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system 21 | 22 | version: 2.1 23 | jobs: 24 | codeql: 25 | docker: 26 | - image: 'cimg/base:2021.05' 27 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 28 | steps: 29 | - checkout # Checkout codebase 30 | - run: 31 | # OPTIONAL: Download CodeQL Runner 32 | # The CodeQL Runner can either be download as part of the pipeline, 33 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace ./codeql-runner-linux in subsequent stages with the absolute path to the download location. 34 | name: Download CodeQL Runner 35 | command: 'wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux' 36 | - run: 37 | name: Give CodeQL Runner executable access 38 | command: 'chmod +x codeql-runner-linux' 39 | - run: 40 | # Initialize the CodeQL Runner 41 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable 42 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 43 | # In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 44 | name: Initialize CodeQL Runner 45 | command: 'echo $GITHUB_TOKEN | ./codeql-runner-linux init --repository octo-org/example-repo-2 --github-url https://github.com --queries security-extended --github-auth-stdin' 46 | - run: 47 | # Set the generated environment variables so they are available for subsequent commands 48 | # This script created as part of the ./codeql-runner-linux init step and referenced in init logs 49 | name: Set CodeQL Runner BUILD environment variables # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 50 | command: '. ${CIRCLE_WORKING_DIRECTORY}/codeql-runner/codeql-env.sh' 51 | - run: 52 | # Example 1: Use the AutoBuilder 53 | # The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 54 | # Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 55 | name: Build codebase # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 56 | command: ./codeql-runner-linux autobuild --language java 57 | # Example 2: Providing manual build command 58 | # Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 59 | # For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 60 | # command: 'mvn clean install -DskipTests=true -s settings/settings.xml' 61 | # - run: 62 | # Optional step if you experience errors where CodeQL runner runs out of memory resources 63 | # name: Tune malloc fragmentation threshold 64 | # command: 'export MALLOC_MMAP_THRESHOLD_=131072' 65 | 66 | 67 | # Analyze CodeQL database and send results to GitHub 68 | 69 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 70 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 71 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 72 | # Once the analysis is done, the results will be uploaded to GitHub 73 | # Specifying the --ram attribute puts a ceiling on memory resources used by CodeQL runner, use this if you experience errors where CodeQL runner runs out of memory resources 74 | - when: 75 | condition: ${CIRCLE_PULL_REQUEST} 76 | steps: 77 | - run: 'echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --commit $CIRCLE_SHA1 --ref refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --github-auth-stdin' 78 | - unless: 79 | condition: ${CIRCLE_PULL_REQUEST} 80 | steps: 81 | - run: 'echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --commit $CIRCLE_SHA1 --ref refs/heads/${CIRCLE_BRANCH} --github-auth-stdin' 82 | workflows: 83 | version: 2 84 | codeql-analysis: 85 | jobs: 86 | - codeql 87 | -------------------------------------------------------------------------------- /_deprecated/Jenkinsfile-template-with-codeql-runner: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | /* 15 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL Runner 16 | The example assumes a simple Java application built using Maven 17 | */ 18 | 19 | pipeline { 20 | 21 | agent { label 'run-codeql-analysis' } 22 | 23 | environment { 24 | ... 25 | } 26 | 27 | options { 28 | ... 29 | } 30 | 31 | stages { 32 | // Clone repository 33 | stage('Clone Repository') { 34 | git url: 'https://github.com/octo-org/example-repo-2.git' 35 | } 36 | 37 | // Initialize the CodeQL Runner 38 | // Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 39 | // Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 40 | // In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 41 | stage('CodeQL Initialization') { 42 | steps { 43 | sh '/path/to-runner/codeql-runner-linux init --repository octo-org/example-repo-2 --github-url https://github.com --github-auth TOKEN --queries security-and-quality' 44 | } 45 | } 46 | 47 | 48 | stage('Build and analyze code') { 49 | 50 | // Set the generated environment variables so they are available for subsequent commands 51 | // Note that we are sourcing the script using '. /path/to/script.sh'. This is DIFFERENT than executing the script using './path/to/script.sh' 52 | // Executing the script would do so in a new shell, and any variables set in that shell would not be available in subsequent calls in our current shell 53 | // By sourcing the script, all variables are set in our current shell, and will be available for later stages 54 | steps { 55 | sh '. /srv/checkout/myrepository/codeql-runner/codeql-env.sh' 56 | } 57 | 58 | // Building the code - Two examples 59 | 60 | // Example 1: Use the AutoBuilder 61 | // The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 62 | // Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 63 | steps { 64 | sh '/path/to-runner/codeql-runner-linux autobuild --language java' 65 | } 66 | 67 | // Example 2: Providing manual build command 68 | // Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 69 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 70 | steps { 71 | sh 'mvn clean install -DskipTests=true -s settings/settings.xml' 72 | } 73 | 74 | // Analyze the snapshot database created as part of the build, by running the selected queries against it 75 | // Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 76 | // Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 77 | // Once the analysis is done, the results will be uploaded to GitHub 78 | steps { 79 | sh '/path/to-runner/codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --github-auth TOKEN --commit ae7b655ef30b50fb726ae7b3daa79571a39d194d --ref refs/heads/main' 80 | } 81 | 82 | } 83 | 84 | // Other stages go here 85 | 86 | } 87 | 88 | } 89 | -------------------------------------------------------------------------------- /_deprecated/TravisCI-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL Runner 15 | # The example assumes a simple Java application built using Maven 16 | 17 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 18 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 19 | 20 | # GitHub Docs "Running CodeQL Runner in your CI system" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system 21 | 22 | language: java 23 | jdk: 24 | - oraclejdk15 25 | 26 | arch: amd64 27 | os: linux 28 | dist: focal 29 | 30 | branches: 31 | only: 32 | - main 33 | 34 | install: 35 | - java --version 36 | - ./mvnw clean install 37 | - ./mvnw test 38 | 39 | script: 40 | # STEP 1 (OPTIONAL): Download CodeQL Runner 41 | # The CodeQL Runner can either be download as part of the pipeline, 42 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace ./codeql-runner-linux in subsequent stages with the absolute path to the download location. 43 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux 44 | - chmod +x codeql-runner-linux #Give CodeQL Runner executable access 45 | 46 | # STEP 2: Initialize the CodeQL Runner 47 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable 48 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 49 | # In this example, the security-extended suite is used, which includes both security queries and code quality queries 50 | - echo $GITHUB_TOKEN | ./codeql-runner-linux init --repository org/repo --github-url https://github.com --queries security-extended --github-auth-stdin 51 | 52 | # STEP 3: Set BUILD step environment variables (only required for compiled languages) 53 | # Set the generated environment variables so they are available for subsequent commands 54 | # This script created as part of the ./codeql-runner-linux init step and referenced in init logs 55 | - . ${TRAVIS_BUILD_DIR}/codeql-runner/codeql-env.sh # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 56 | 57 | # STEP 4: Build codebase (only required for compiled languages) 58 | # Example 1: Use the AutoBuilder 59 | # The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 60 | # Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 61 | - ./codeql-runner-linux autobuild --language java # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 62 | # Example 2: Providing manual build command 63 | # Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 64 | # For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 65 | # command: 'mvn clean install -DskipTests=true -s settings/settings.xml' 66 | 67 | # STEP 5: Analyze CodeQL database and send results to GitHub 68 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 69 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 70 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 71 | # Once the analysis is done, the results will be uploaded to GitHub 72 | # Specifying the --ram attribute puts a ceiling on memory resources used by CodeQL runner, use this if you experience errors where CodeQL runner runs out of memory resources 73 | - echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository org/repo --github-url https://github.com --commit $TRAVIS_COMMIT --ref refs/heads/main --github-auth-stdin 74 | -------------------------------------------------------------------------------- /harness/codeql-scan.yaml: -------------------------------------------------------------------------------- 1 | # This sample codeql-scan.yaml shows how to configure a Harness workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple Python application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on pull request, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | pipeline: 10 | identifier: Example CodeQL Scan in Harness 11 | name: Scan 12 | orgIdentifier: default 13 | projectIdentifier: default_project 14 | properties: 15 | ci: 16 | codebase: 17 | build: <+input> 18 | connectorRef: YOUR ORG 19 | repoName: YOUR REPO 20 | stages: 21 | - stage: 22 | identifier: Scan 23 | name: CodeQL 24 | spec: 25 | caching: 26 | enabled: true 27 | paths: [] 28 | cloneCodebase: true 29 | execution: 30 | steps: 31 | - step: 32 | identifier: setupvirtualenvironment 33 | name: setup virtual environment 34 | spec: 35 | command: |- 36 | python3 -m venv .venv 37 | . .venv/bin/activate 38 | python3 -m pip install -r requirements.txt 39 | python3 -m pip install -e . 40 | timeout: "" 41 | type: Run 42 | - step: 43 | # OPTIONAL: Download CodeQL CLI Bundle 44 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 45 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 46 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 47 | type: Run 48 | name: Download CodeQL Bundle 49 | identifier: Download_CodeQL_Bundle 50 | spec: 51 | shell: Sh 52 | command: |- 53 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 54 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 55 | sh "rm ../codeql-bundle-linux64.tar.gz" 56 | sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 57 | - step: 58 | # Create CodeQL Database 59 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 60 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 61 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 62 | type: Run 63 | name: Create Database 64 | identifier: Create_Database 65 | spec: 66 | shell: Sh 67 | command: sh "codeql database create --language=python db" 68 | - step: 69 | # Analyze CodeQL Database 70 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 71 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 72 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 73 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 74 | type: Run 75 | name: Analyze Database 76 | identifier: Analyze_Database 77 | spec: 78 | shell: Sh 79 | command: sh "codeql database analyze /codeql-dbs/repo-db javascript-security-and-quality.qls --format=sarif-latest --output=./temp/results-js.sarif" 80 | - step: 81 | # Upload results to GitHub 82 | 83 | # Uploads a SARIF file to GitHub code scanning. 84 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 85 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 86 | # This token must have the security\_events scope. 87 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 88 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 89 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 90 | type: Run 91 | name: Upload CodeQL Results 92 | identifier: Upload_CodeQL_Results 93 | spec: 94 | shell: Sh 95 | command: sh "codeql github upload-results --sarif=./temp/results-py.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 96 | platform: 97 | os: Linux 98 | arch: Amd64 99 | runtime: 100 | type: Cloud 101 | spec: {} 102 | type: CI 103 | description: "" 104 | --------------------------------------------------------------------------------