├── CODEOWNERS ├── PRIVACY.md ├── DroneCI ├── README.md └── CodeQL-Docker.yml ├── SUPPORT.md ├── CHANGELOG.md ├── CircleCI ├── README.md ├── CircleCI-template-linux.yml └── CircleCI-template-windows.yml ├── CONTRIBUTING.md ├── Tekton ├── example-pipelinerun.yml ├── example-pipeline.yml └── codeql-task.yml ├── LICENSE ├── SECURITY.md ├── AWS CodeBuild └── buildspec_codeql.yml ├── Jenkins ├── ReadMes │ └── Jenkinsfile-template-linux-multibranch.md ├── Jenkinsfile-template-linux ├── Jenkinsfile-template-windows ├── Jenkinsfile-template-linux-multibranch ├── Jenkinsfile-template-windows-with-indirect-build-tracing └── Jenkinsfile-template-linux-with-indirect-build-tracing ├── CODE_OF_CONDUCT.md ├── README.md ├── TravisCI ├── TravisCI-template-windows.yml └── TravisCI-template-linux.yml ├── Azure Pipelines ├── Azure-Pipelines-template-windows.yml ├── Azure-Pipelines-template-linux.yml ├── Azure-Pipelines-template-linux-with-indirect-build-tracing.yml ├── README.md ├── Azure-Pipelines-template-windows-with-indirect-build-tracing.yml └── codeql-steps-template.yml ├── _deprecated ├── Jenkinsfile-template-with-codeql-runner ├── TravisCI-template-with-codeql-runner.yml ├── Azure-Pipelines-template-with-codeql-runner.yml └── CircleCI-template-with-codeql-runner.yml └── harness └── codeql-scan.yaml /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # This project is maintained by: 2 | * @kllund 3 | * @geekmasher 4 | * @leftrightleft 5 | * @aegilops 6 | -------------------------------------------------------------------------------- /PRIVACY.md: -------------------------------------------------------------------------------- 1 | # Privacy Policy 2 | 3 | These pipelines upload to GitHub Code Scanning, hosted on `github.com`. 4 | 5 | Please see the [GitHub Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement) for GitHub's overall GitHub privacy policy. 6 | -------------------------------------------------------------------------------- /DroneCI/README.md: -------------------------------------------------------------------------------- 1 | # Drone CI 2 | 3 | To get CodeQL to work with Drone, you need to have a Docker image of the CodeQL Bundle installed into the image along with all your required build tools (dotnet, java, python, etc.). 4 | 5 | ## Requirements 6 | 7 | - [CodeQL Bundle](https://github.com/github/codeql-action/releases) 8 | - [GitHub PAT to push results back to GitHub Advanced Security](https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#uploading-results-to-github) 9 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue. 6 | 7 | For help or questions about using this project, please open a discussion. 8 | 9 | This repository is maintained by GitHub Field Security Specialist staff. We will do our best to respond to support, feature requests, and community questions in a timely manner. 10 | 11 | ## GitHub Support Policy 12 | 13 | Support for this project is limited to the resources listed above. 14 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG 2 | 3 | ## 1.0.0 - 2023-04-19 4 | 5 | * Added supporting documentation 6 | 7 | ## Legacy 8 | 9 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. All functionality is now natively available in the CodeQL CLI. 10 | 11 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. To migrate, follow the [Migrating from the CodeQL Runner to the CodeQL CLI Bundle](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli) guide. 12 | 13 | The legacy template files for the CodeQL Runner can be found in the `_deprecated` folder. 14 | -------------------------------------------------------------------------------- /CircleCI/README.md: -------------------------------------------------------------------------------- 1 | # CircleCI 2 | 3 | ## Tips, Tricks, and Cautions 4 | 5 | Here is a few tips and tricks for CircleCI along with some things to be aware of. 6 | 7 | ### Error 137 8 | 9 | In CircleCI you might hit an error reported by CircleCI named "Error 137". 10 | This is because if the CI job uses over its allocated memory of the machine, CircleCI will kill the process automatically. 11 | 12 | To prevent this, restrict the CodeQL process RAM usage by adding the `--ram` argument: 13 | 14 | ```bash 15 | codeql database analyze \ 16 | --ram 7000 17 | ``` 18 | 19 | CodeQL comes with some overhead on top of the value set (plus over processes could be running) so add padding to this value is recommended. 20 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | ## Security 4 | 5 | For security issues, see [SECURITY](SECURITY.md). 6 | 7 | ## Bugs and issues 8 | 9 | Please raise non-security bugs and suggestions in the Issues on the GitHub-hosted repository. 10 | 11 | ## Developing 12 | 13 | Please test changes to pipeline files before submitting. 14 | 15 | ## Submitting changes 16 | 17 | Please fork the repository, and raise a Pull Request (PR) for review. Please sign your commits. 18 | 19 | Remember to update the [README](README.md) and [CHANGELOG](CHANGELOG.md). 20 | 21 | Your changes must be acceptable under the [LICENSE](LICENSE.md) of the project. 22 | 23 | ## Code of conduct 24 | 25 | Follow the [Code of Conduct](CODE_OF_CONDUCT.md). 26 | -------------------------------------------------------------------------------- /Tekton/example-pipelinerun.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: PipelineRun 3 | metadata: 4 | generateName: webgoat-clone-and-codeql-analyse-run- 5 | spec: 6 | pipelineRef: 7 | name: webgoat-clone-and-codeql-analyse 8 | podTemplate: 9 | securityContext: 10 | fsGroup: 65532 11 | taskRunSpecs: 12 | - pipelineTaskName: codeql 13 | stepOverrides: 14 | - name: init-build-analyse 15 | resources: 16 | limits: 17 | memory: 4Gi 18 | requests: 19 | memory: 4Gi 20 | workspaces: 21 | - name: shared-data 22 | volumeClaimTemplate: 23 | spec: 24 | accessModes: 25 | - ReadWriteOnce 26 | resources: 27 | requests: 28 | storage: 1Gi 29 | params: 30 | - name: codeql-init-extra-args 31 | value: --ram=3500 32 | - name: codeql-analyze-extra-args 33 | value: --ram=3500 -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright GitHub 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | Thanks for helping make GitHub safe for everyone. 4 | 5 | GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). 6 | 7 | Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 8 | 9 | ## Reporting Security Issues 10 | 11 | If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. 12 | 13 | **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** 14 | 15 | Instead, please send an email to opensource-security[@]github.com. 16 | 17 | Please include as much of the information listed below as you can to help us better understand and resolve the issue: 18 | 19 | * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) 20 | * Full paths of source file(s) related to the manifestation of the issue 21 | * The location of the affected source code (tag/branch/commit or direct URL) 22 | * Any special configuration required to reproduce the issue 23 | * Step-by-step instructions to reproduce the issue 24 | * Proof-of-concept or exploit code (if possible) 25 | * Impact of the issue, including how an attacker might exploit the issue 26 | 27 | This information will help us triage your report more quickly. 28 | 29 | ## Policy 30 | 31 | See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) 32 | -------------------------------------------------------------------------------- /AWS CodeBuild/buildspec_codeql.yml: -------------------------------------------------------------------------------- 1 | 2 | version: 0.2 3 | env: 4 | git-credential-helper: yes 5 | exported-variables: 6 | - PROJECT_NAME 7 | - PROJECT_ROOT_DIRECTORY 8 | - GITHUB_ORG 9 | - GIT_REPO_NAME 10 | - CODEQLDB 11 | - CODEQL_LANG 12 | - UPLOAD_TOKEN 13 | - COMMIT_ID 14 | phases: 15 | install: 16 | commands: 17 | - echo "Entered the CodeQL CLI install phase..." 18 | - echo "Installing the CodeQL CLI" 19 | - (cd /opt; wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz && tar -xvzf ./codeql-bundle-linux64.tar.gz) 20 | - export PATH=/opt/codeql:$PATH 21 | - echo "testing codeql cli installation by codeql resolve qlpacks" 22 | - codeql resolve qlpacks 23 | pre_build: 24 | commands: 25 | - echo "Entered the pre_build phase..." 26 | - echo "Create codeql database sub directory" 27 | - mkdir -p /${CODEQLDB}/${GIT_REPO_NAME} 28 | - echo "create codeql database..." 29 | - codeql database create /${CODEQLDB}/${GIT_REPO_NAME} --language=${CODEQL_LANG} --command "" --source-root $CODEBUILD_SRC_DIR 30 | build: 31 | on-failure: ABORT 32 | commands: 33 | - echo "Entered the Build phase..." 34 | - echo Build started on `date` 35 | 36 | - echo `pwd` 37 | - ls -lart 38 | 39 | #running codeql analysis 40 | - echo "Running CodeQL Analysis" 41 | - codeql database analyze /${CODEQLDB}/${GIT_REPO_NAME} --sarif-category=${CODEQL_LANG} --format=sarifv2.1.0 --output=/tmp/${GIT_REPO_NAME}.sarif --verbose 42 | - sleep 60 43 | - echo "Uploading CodeQL Sarif File to GitHub" 44 | - (codeql github upload-results --repository=${GITHUB_ORG}/${GIT_REPO_NAME} --ref=refs/heads/main --commit=${COMMIT_ID} --sarif=/tmp/${GIT_REPO_NAME}.sarif --github-url=https://github.com --github-auth-stdin) 45 | artifacts: 46 | files: 47 | - '**/*' 48 | -------------------------------------------------------------------------------- /DroneCI/CodeQL-Docker.yml: -------------------------------------------------------------------------------- 1 | name: CodeQL 2 | kind: pipeline 3 | type: docker 4 | 5 | steps: 6 | - name: analysis 7 | # This container is maintained by @GeekMasher (GitHub staff). 8 | # It is recommended to fork and maintain an internal version of this image or 9 | # have an internal version. 10 | image: ghcr.io/geekmasher/codeql-docker:main 11 | # CodeQL need to write its database to disk and this is an easy way to support 12 | # that. 13 | user: root 14 | environment: 15 | # Repository org/name 16 | GITHUB_REPOSITORY: octodemo/advanced-security-python 17 | # Set the language that CodeQL will Analyse 18 | CODEQL_LANGUAGE: python 19 | # You will need an access token to push the SARIF file into GitHub 20 | GITHUB_TOKEN: 21 | from_secret: GITHUB_TOKEN 22 | 23 | commands: 24 | # Test CodeQL is present in the container and what version is running 25 | - codeql --version 26 | 27 | # Initialize and Create the CodeQL Database 28 | # This will try to use the autobuilder for compiled languages, or create the database for interpreted languages 29 | - codeql database create --language="$CODEQL_LANGUAGE" .codeql-database 30 | 31 | # To supply a manual build command, you can comment the line above out and instead use the following command, 32 | # replacing "make" with your build command. 33 | # codeql database create --language="$CODEQL_LANGUAGE" .codeql-database --command="make" 34 | 35 | # Analyse the code inside the database and generate the SARIF output. 36 | - codeql database analyze 37 | --format="sarif-latest" 38 | --output=".codeql-results.sarif" 39 | .codeql-database $CODEQL_LANGUAGE-code-scanning.qls 40 | 41 | # Uploading the results to GitHub. 42 | - codeql github upload-results 43 | -r "$GITHUB_REPOSITORY" 44 | -g "https://github.com" 45 | -f "refs/heads/$(git rev-parse --abbrev-ref HEAD)" 46 | -c "$(git rev-parse HEAD)" 47 | -s ".codeql-results.sarif" 48 | -------------------------------------------------------------------------------- /Tekton/example-pipeline.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Pipeline 3 | metadata: 4 | name: webgoat-clone-and-codeql-analyse 5 | spec: 6 | description: | 7 | This pipeline clones a git repo, then analyses it with CodeQL. 8 | params: 9 | - name: build-image 10 | type: string 11 | description: The image to use for building the project. 12 | default: eclipse-temurin:17-jdk 13 | - name: ref 14 | type: string 15 | description: The git ref to check out. 16 | default: "refs/heads/main" 17 | - name: codeql-language 18 | type: string 19 | description: The language to analyse. 20 | default: java 21 | - name: codeql-build-command 22 | type: string 23 | description: The command to build the project. 24 | default: ./mvnw clean package -f "pom.xml" -B -V -e -ntp -DskipTests -Dspotless.check.skip=true 25 | - name: codeql-query-suite 26 | type: string 27 | description: The query suite to use. 28 | default: java-code-scanning 29 | - name: codeql-init-extra-args 30 | type: string 31 | description: Extra arguments to pass to the CodeQL CLI init command. 32 | default: "" 33 | - name: codeql-analyze-extra-args 34 | type: string 35 | description: Extra arguments to pass to the CodeQL CLI analyze command. 36 | default: "" 37 | - name: codeql-upload-extra-args 38 | type: string 39 | description: Extra arguments to pass to the CodeQL CLI upload command. 40 | default: "" 41 | workspaces: 42 | - name: shared-data 43 | description: This workspace contains the cloned repo files, so they can be read by the next task. 44 | tasks: 45 | - name: git-clone 46 | taskRef: 47 | name: git-clone 48 | workspaces: 49 | - name: output 50 | workspace: shared-data 51 | params: 52 | - name: url 53 | value: https://github.com/ctcampbellcom/webgoat-in-a-folder 54 | - name: revision 55 | value: $(params.ref) 56 | - name: codeql 57 | runAfter: 58 | - git-clone 59 | taskRef: 60 | name: codeql 61 | workspaces: 62 | - name: source 63 | workspace: shared-data 64 | params: 65 | - name: build-image 66 | value: $(params.build-image) 67 | - name: repo 68 | value: ctcampbellcom/webgoat-in-a-folder 69 | - name: ref 70 | value: $(params.ref) 71 | - name: commit-sha 72 | value: $(tasks.git-clone.results.commit) 73 | - name: source-path-dir 74 | value: webgoat 75 | - name: codeql-language 76 | value: $(params.codeql-language) 77 | - name: codeql-build-command 78 | value: $(params.codeql-build-command) 79 | - name: codeql-query-suite 80 | value: $(params.codeql-query-suite) 81 | - name: codeql-init-extra-args 82 | value: $(params.codeql-init-extra-args) 83 | - name: codeql-analyze-extra-args 84 | value: $(params.codeql-analyze-extra-args) 85 | - name: codeql-upload-extra-args 86 | value: $(params.codeql-upload-extra-args) 87 | -------------------------------------------------------------------------------- /Jenkins/ReadMes/Jenkinsfile-template-linux-multibranch.md: -------------------------------------------------------------------------------- 1 | # Jenkins Pipeline for Security Analysis 2 | 3 | This Jenkins pipeline script is designed to perform security analysis on a Java project using CodeQL and submit a dependency snapshot. The script is written in Groovy and is designed to be used with Jenkins' Pipeline plugin. 4 | 5 | ## Functions 6 | 7 | The script defines several helper functions: 8 | 9 | - `isPRBuild()`: Checks if the current build is for a pull request. 10 | - `getPRNumber()`: Extracts the pull request number from the branch name. 11 | - `getPRRef()`: Returns the Git reference for the pull request or branch being built. 12 | 13 | ## Environment Variables 14 | 15 | The script sets several environment variables: 16 | 17 | - `GITHUB_CREDS`: The Jenkins Credentials ID for your GitHub PAT credential. 18 | - `DEFAULT_BRANCH`: The default branch name of the repository. 19 | - `GITHUB_PR_REF_TYPE`: The type of ref that will be checked out for a job initiated by a GitHub PR. 20 | - `GITHUB_REPO`: The name of the GitHub repository to run the analysis on. 21 | - `CODEQL_LANGUAGE`: The programming language of the project. 22 | - `CODEQL_BUILD_COMMAND`: The command to build the project. 23 | - `CODEQL_QUERY_SUITE`: The CodeQL query suite to use for the analysis. 24 | - `DEPENDENCY_SUBMISSION_EXECUTABLES_URL`: The URL to download the Dependency Submission Action executable archive. 25 | - `DEPENDENCY_SUBMISSION_EXECUTABLE`: The Dependency Submission Action executable. 26 | - `PR_REF`: The Git reference for the pull request or branch being built. 27 | 28 | ## Stages 29 | 30 | The pipeline consists of a single stage, "Run security analysis", which contains two parallel stages: 31 | 32 | - "Run CodeQL analysis": This stage creates a CodeQL database for the project, analyzes the database, and uploads the results to GitHub. 33 | - "Submit dependency snapshot": This stage downloads the Dependency Submission Action executable, makes it executable, and runs it to submit a dependency snapshot. 34 | 35 | ## When to Run 36 | 37 | The stages are configured to run under certain conditions: 38 | 39 | - The "Run CodeQL analysis" stage runs if the current branch is the default branch or if the change was not made by Dependabot. 40 | - The "Submit dependency snapshot" stage runs if the current branch is the default branch or if there is a change ID. 41 | 42 | ## Steps 43 | 44 | Each stage consists of several steps, which are shell commands to be executed in the Jenkins environment. These commands perform the actual work of the stage, such as running the CodeQL analysis or submitting the dependency snapshot. 45 | 46 | ### Mermaid Diagram 47 | 48 | ```mermaid 49 | graph TD 50 | A[Start] 51 | B{isPRBuild} 52 | C[getPRNumber] 53 | D[getPRRef] 54 | E[Environment Setup] 55 | F{Run security analysis} 56 | G{Run CodeQL analysis} 57 | H{Submit dependency snapshot} 58 | I[End] 59 | A --> B 60 | B --> C 61 | C --> D 62 | D --> E 63 | E --> F 64 | F --> G 65 | F --> H 66 | G --> I 67 | H --> I 68 | ``` 69 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at opensource@github.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sample pipeline files for using CodeQL in popular CI/CD systems 2 | 3 | > ℹ️ This is an _unofficial_ project created by Field Security Services, and is not officially supported by GitHub. 4 | 5 | This repository shows how to integrate CodeQL into various CI/CD systems, using the CodeQL CLI Bundle for Automated Code Scanning, in example pipeline configuration files. 6 | 7 | These are supplementary to the GitHub.com docs on [setting up CodeQL code scanning in your CI system](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system). 8 | 9 | The CI/CD systems covered here are Jenkins, Azure Pipelines, CircleCI, TravisCI, AWS CodeBuild and DroneCI. 10 | 11 | GitHub Actions is natively supported by GitHub Advanced Security, so use the instructions in the [GitHub.com docs to set up CodeQL for your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning). 12 | 13 | For each CI/CD system a template is provided for both Windows and Linux. 14 | 15 | There are examples/guidance for: 16 | 17 | 1. automatic builds for compiled languages using the AutoBuilder (with no `--command` flag) 18 | 2. manual builds for compiled languages with a `--command` flag 19 | 3. analysis of interpreted languages (which don't need a build) 20 | 4. (for Azure and Jenkins) an advanced example using indirect build tracing ("sandwich mode") wrapped around manually specified build commands 21 | 22 | > ℹ️ This is an _unofficial_ project created by Field Security Services, and is not officially supported by GitHub. 23 | 24 | ## Requirements 25 | 26 | > ℹ️ You must be using GitHub Advanced Security to use these pipeline files. If you are not using GitHub Advanced Security, please see the [GitHub Advanced Security website](https://github.com/features/security) for more information. 27 | 28 | 1. A CI/CD pipeline using one of: 29 | * AWS CodeBuild 30 | * Azure Pipelines 31 | * CircleCI 32 | * DroneCI 33 | * Jenkins 34 | * TravisCI 35 | 2. The [CodeQL Bundle](https://github.com/github/codeql-action/releases) installed in the CI/CD pipeline 36 | 3. [GitHub PAT to push results back to GitHub Advanced Security](https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#uploading-results-to-github) 37 | 38 | ## Usage 39 | 40 | 1. [Download and install the CodeQL Bundle in your CI system](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system), testing that it works 41 | 2. Copy the relevant pipeline file from this repository into your repository 42 | 3. [Update the pipeline file with your required settings](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system) 43 | * read the [creating CodeQL database documentation for help](https://codeql.github.com/docs/codeql-cli/manual/database-create/) 44 | * the [full CodeQL CLI documentation](https://docs.github.com/en/enterprise-cloud@latest/code-security/codeql-cli/using-the-codeql-cli/about-the-codeql-cli) may also be useful 45 | 46 | ## License 47 | 48 | This project is licensed under the terms of the MIT open source license. Please refer to the [LICENSE](LICENSE) for the full terms. 49 | 50 | ## Maintainers 51 | 52 | See [CODEOWNERS](CODEOWNERS) for the list of maintainers. 53 | 54 | ## Support 55 | 56 | See the [SUPPORT](SUPPORT.md) file. 57 | 58 | ## Background 59 | 60 | See the [CHANGELOG](CHANGELOG.md), [CONTRIBUTING](CONTRIBUTING.md), [SECURITY](SECURITY.md), [SUPPORT](SUPPORT.md), [CODE OF CONDUCT](CODE_OF_CONDUCT.md) and [PRIVACY](PRIVACY.md) files for more information. 61 | -------------------------------------------------------------------------------- /TravisCI/TravisCI-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Windows 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | language: node_js 10 | node_js: 11 | - "7" 12 | 13 | arch: amd64 14 | os: linux 15 | dist: focal 16 | 17 | cache: npm 18 | 19 | branches: 20 | only: 21 | - main 22 | 23 | install: 24 | - npm i 25 | 26 | script: 27 | # STEP 1 (OPTIONAL): Download CodeQL CLI Bundle 28 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 29 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 30 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 31 | - cd $HOME # Change to home directory to download CLI because if you unzip CodeQL CLI Bundle inside the source directory ($TRAVIS_BUILD_DIR) where repo is cloned it will analyze itself 32 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz 33 | - tar xzf codeql-bundle-linux64.tar.gz 34 | 35 | # STEP 2: Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | - mkdir codeql-dbs 40 | - .\codeql\codeql.exe database create .\codeql-dbs\repo-db --language=javascript --source-root=$TRAVIS_BUILD_DIR 41 | # REF command: ''\path\to\cli\codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 42 | 43 | # STEP 3: Analyze CodeQL Database 44 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 45 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 46 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 47 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 48 | - cd codeql && mkdir temp 49 | - .\codeql.exe database analyze ..\codeql-dbs\repo-db javascript-code-scanning.qls --format=sarif-latest --output=.\temp\results-js.sarif 50 | # REF command: '\path\to\cli\codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 51 | 52 | # STEP 4: Upload Results to GitHub 53 | # Uploads a SARIF file to GitHub code scanning. 54 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 55 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 56 | # This token must have the security\_events scope. 57 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 58 | # Full documentation for github upload-re 59 | - echo $GITHUB_TOKEN | .\codeql.exe github upload-results --repository=org/repo --ref=refs/heads/main --commit=$TRAVIS_COMMIT --sarif=.\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin 60 | # REF command: '\path\to\cli\codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' -------------------------------------------------------------------------------- /TravisCI/TravisCI-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | language: node_js 10 | node_js: 11 | - "7" 12 | 13 | arch: amd64 14 | os: linux 15 | dist: focal 16 | 17 | cache: npm 18 | 19 | branches: 20 | only: 21 | - main 22 | 23 | install: 24 | - npm i 25 | 26 | script: 27 | # STEP 1 (OPTIONAL): Download CodeQL CLI Bundle 28 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 29 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 30 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 31 | - cd $HOME # Change to home directory to download CLI because if you unzip CodeQL CLI Bundle inside the source directory ($TRAVIS_BUILD_DIR) where repo is cloned it will analyze itself 32 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz 33 | - tar xzf codeql-bundle-linux64.tar.gz 34 | - cd codeql && chmod +x codeql && cd .. 35 | 36 | # STEP 2: Create CodeQL Database 37 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 38 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 39 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 40 | - mkdir codeql-dbs 41 | - ./codeql/codeql database create ./codeql-dbs/repo-db --language=javascript --source-root=$TRAVIS_BUILD_DIR 42 | # REF command: ''/path/to/cli/codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 43 | 44 | # STEP 3: Analyze CodeQL Database 45 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 46 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 47 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 48 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 49 | - cd codeql && mkdir temp 50 | - ./codeql database analyze ../codeql-dbs/repo-db javascript-code-scanning.qls --format=sarif-latest --output=./temp/results-js.sarif 51 | # REF command: '/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | 53 | # STEP 4: Upload Results to GitHub 54 | # Uploads a SARIF file to GitHub code scanning. 55 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 56 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 57 | # This token must have the security\_events scope. 58 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 59 | # Full documentation for github upload-re 60 | - echo $GITHUB_TOKEN | ./codeql github upload-results --repository=org/repo --ref=refs/heads/main --commit=$TRAVIS_COMMIT --sarif=./temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin 61 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # This example assumes a Windows environment 3 | 4 | trigger: 5 | branches: 6 | include: 7 | - '*' 8 | paths: 9 | exclude: 10 | - test/* 11 | - doc/* 12 | - lib/* 13 | include: 14 | - src/* 15 | resources: 16 | repositories: 17 | - repository: templates 18 | type: github 19 | name: octo-org/example-repo-2 20 | endpoint: octo-org 21 | 22 | stages: 23 | - stage: __default 24 | jobs: 25 | - job: Job 26 | workspace: 27 | clean: all 28 | steps: 29 | 30 | # OPTIONAL: Download CodeQL CLI Bundle 31 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 32 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 33 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 34 | - task: PowerShell@2 35 | displayName: Download CodeQL CLI Bundle 36 | inputs: 37 | targetType: inline 38 | script: > 39 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz 40 | tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\ 41 | del ..\codeql-bundle-win64.tar.gz 42 | cd ..\; set PATH=%cd%\codeql;%PATH% 43 | } 44 | } 45 | 46 | # Create CodeQL Database 47 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 48 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 49 | # and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 50 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 51 | - task: CmdLine@2 52 | displayName: Create CodeQL Database 53 | inputs: 54 | script: "codeql database create --language=javascript --github-auth-stdin --github-url=https://github.com/ --source-root \checkouts\my-repo db" 55 | 56 | # Analyze CodeQL Database 57 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 58 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 59 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 60 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 61 | - task: CmdLine@2 62 | displayName: Analyze CodeQL Database 63 | inputs: 64 | script: "codeql database analyze --format=sarif-latest --output=.\temp\results-js.sarif db javascript-security-and-quality.qls" 65 | 66 | # Upload results to GitHub 67 | # Uploads a SARIF file to GitHub code scanning. 68 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 69 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 70 | # This token must have the security\_events scope. 71 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 72 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 73 | - task: CmdLine@2 74 | displayName: Upload results to GitHub 75 | inputs: 76 | script: "codeql github upload-results --sarif=.\temp\results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 77 | 78 | # Other tasks go here 79 | -------------------------------------------------------------------------------- /Tekton/codeql-task.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Task 3 | metadata: 4 | name: codeql 5 | annotations: 6 | tekton.dev/platforms: "linux/amd64" 7 | spec: 8 | description: Analyse code with CodeQL 9 | params: 10 | - name: build-image 11 | type: string 12 | description: The image to use for building the project. 13 | - name: repo 14 | type: string 15 | description: The short name for the repository, e.g. ctcampbellcom/webgoat. 16 | default: "" 17 | - name: ref 18 | type: string 19 | description: The git ref of the checked out source. 20 | default: "" 21 | - name: commit-sha 22 | type: string 23 | description: The git commit SHA of the checked out source. 24 | default: "" 25 | - name: source-path-dir 26 | type: string 27 | description: The path to the source code directory relative to the checkout root. 28 | default: "." 29 | - name: codeql-download-url 30 | type: string 31 | description: The download URL for the CodeQL bundle. 32 | default: "https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz" 33 | - name: codeql-bin-path 34 | type: string 35 | description: The download location for the CodeQL binary folder. 36 | default: $(workspaces.source.path)/codeql-bin 37 | - name: codeql-language 38 | type: string 39 | description: The language to analyse. 40 | - name: codeql-build-command 41 | type: string 42 | description: The command to build the project. 43 | default: "" 44 | - name: codeql-query-suite 45 | type: string 46 | description: The query suite to use. 47 | default: $(params.codeql-language)-code-scanning 48 | - name: codeql-init-extra-args 49 | type: string 50 | description: Extra arguments to pass to the CodeQL CLI init command. 51 | default: "" 52 | - name: codeql-analyze-extra-args 53 | type: string 54 | description: Extra arguments to pass to the CodeQL CLI analyze command. 55 | default: "" 56 | - name: codeql-upload-extra-args 57 | type: string 58 | description: Extra arguments to pass to the CodeQL CLI upload command. 59 | default: "" 60 | - name: github-token-secret-name 61 | type: string 62 | description: Kubernetes secret name to use for uploading results. 63 | default: github-token 64 | - name: github-token-secret-key 65 | type: string 66 | description: Kubernetes secret key to use for uploading results. 67 | default: github-token 68 | workspaces: 69 | - name: source 70 | steps: 71 | - name: init-build-analyse 72 | image: $(params.build-image) 73 | env: 74 | - name: SOURCE_PATH 75 | value: $(workspaces.source.path) 76 | - name: SOURCE_PATH_DIR 77 | value: $(params.source-path-dir) 78 | - name: REPO 79 | value: $(params.repo) 80 | - name: REF 81 | value: $(params.ref) 82 | - name: COMMIT_SHA 83 | value: $(params.commit-sha) 84 | - name: CODEQL_DOWNLOAD_URL 85 | value: $(params.codeql-download-url) 86 | - name: CODEQL_PATH 87 | value: $(params.codeql-bin-path) 88 | - name: CODEQL_LANGUAGE 89 | value: $(params.codeql-language) 90 | - name: CODEQL_BUILD_COMMAND 91 | value: $(params.codeql-build-command) 92 | - name: CODEQL_INIT_EXTRA_ARGS 93 | value: $(params.codeql-init-extra-args) 94 | - name: CODEQL_ANALYZE_EXTRA_ARGS 95 | value: $(params.codeql-analyze-extra-args) 96 | - name: CODEQL_UPLOAD_EXTRA_ARGS 97 | value: $(params.codeql-upload-extra-args) 98 | - name: CODEQL_QUERY_SUITE 99 | value: $(params.codeql-query-suite) 100 | - name: CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS 101 | value: "true" 102 | - name: GITHUB_TOKEN 103 | valueFrom: 104 | secretKeyRef: 105 | name: $(params.github-token-secret-name) 106 | key: $(params.github-token-secret-key) 107 | script: | 108 | #!/usr/bin/env bash 109 | set -ex 110 | rm -rf $CODEQL_PATH && mkdir $CODEQL_PATH 111 | wget -nv $CODEQL_DOWNLOAD_URL -O codeql-bundle.tar.gz 112 | tar -zxf codeql-bundle.tar.gz -C $CODEQL_PATH --strip-components=1 113 | rm codeql-bundle.tar.gz 114 | cd $SOURCE_PATH 115 | $CODEQL_PATH/codeql database create ./codeql-db \ 116 | --language=$CODEQL_LANGUAGE \ 117 | --overwrite \ 118 | --working-dir=$SOURCE_PATH_DIR \ 119 | ${CODEQL_BUILD_COMMAND:+--command="""$CODEQL_BUILD_COMMAND"""} \ 120 | $CODEQL_INIT_EXTRA_ARGS 121 | $CODEQL_PATH/codeql database analyze ./codeql-db \ 122 | --format=sarif-latest \ 123 | --output=codeql-results.sarif \ 124 | $CODEQL_QUERY_SUITE \ 125 | $CODEQL_ANALYZE_EXTRA_ARGS 126 | $CODEQL_PATH/codeql github upload-results \ 127 | --sarif=codeql-results.sarif \ 128 | ${COMMIT_SHA:+--commit=$COMMIT_SHA} \ 129 | ${REF:+--ref=$REF} \ 130 | ${REPO:+--repository=$REPO} \ 131 | $CODEQL_UPLOAD_EXTRA_ARGS 132 | rm -rf $CODEQL_PATH 133 | 134 | -------------------------------------------------------------------------------- /_deprecated/Jenkinsfile-template-with-codeql-runner: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | /* 15 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL Runner 16 | The example assumes a simple Java application built using Maven 17 | */ 18 | 19 | pipeline { 20 | 21 | agent { label 'run-codeql-analysis' } 22 | 23 | environment { 24 | ... 25 | } 26 | 27 | options { 28 | ... 29 | } 30 | 31 | stages { 32 | // Clone repository 33 | stage('Clone Repository') { 34 | git url: 'https://github.com/octo-org/example-repo-2.git' 35 | } 36 | 37 | // Initialize the CodeQL Runner 38 | // Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 39 | // Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 40 | // In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 41 | stage('CodeQL Initialization') { 42 | steps { 43 | sh '/path/to-runner/codeql-runner-linux init --repository octo-org/example-repo-2 --github-url https://github.com --github-auth TOKEN --queries security-and-quality' 44 | } 45 | } 46 | 47 | 48 | stage('Build and analyze code') { 49 | 50 | // Set the generated environment variables so they are available for subsequent commands 51 | // Note that we are sourcing the script using '. /path/to/script.sh'. This is DIFFERENT than executing the script using './path/to/script.sh' 52 | // Executing the script would do so in a new shell, and any variables set in that shell would not be available in subsequent calls in our current shell 53 | // By sourcing the script, all variables are set in our current shell, and will be available for later stages 54 | steps { 55 | sh '. /srv/checkout/myrepository/codeql-runner/codeql-env.sh' 56 | } 57 | 58 | // Building the code - Two examples 59 | 60 | // Example 1: Use the AutoBuilder 61 | // The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 62 | // Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 63 | steps { 64 | sh '/path/to-runner/codeql-runner-linux autobuild --language java' 65 | } 66 | 67 | // Example 2: Providing manual build command 68 | // Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 69 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 70 | steps { 71 | sh 'mvn clean install -DskipTests=true -s settings/settings.xml' 72 | } 73 | 74 | // Analyze the snapshot database created as part of the build, by running the selected queries against it 75 | // Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 76 | // Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 77 | // Once the analysis is done, the results will be uploaded to GitHub 78 | steps { 79 | sh '/path/to-runner/codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --github-auth TOKEN --commit ae7b655ef30b50fb726ae7b3daa79571a39d194d --ref refs/heads/main' 80 | } 81 | 82 | } 83 | 84 | // Other stages go here 85 | 86 | } 87 | 88 | } 89 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Linux environment 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 31 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 32 | sh "rm ../codeql-bundle-linux64.tar.gz" 33 | sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 34 | } 35 | } 36 | 37 | // Create CodeQL Database 38 | // Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 39 | // Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 40 | // and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 41 | // Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 42 | stage('Create CodeQL Database') { 43 | steps { 44 | sh "/path/to/cli/codeql database create [--language=[,...]] [--github-auth-stdin] [--github-url=] [--source-root=] [--threads=] [--ram=] [--command=] [--mode=] [--extractor-option=] ... -- " 45 | // example: sh "../codeql/codeql database create /codeql-dbs/repo-db --language=javascript --source-root /checkouts/my-repo" 46 | } 47 | } 48 | 49 | 50 | // Analyze CodeQL Database 51 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 52 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 53 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 54 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 55 | stage('Analyze CodeQL Database') { 56 | steps { 57 | sh "/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 58 | // example: sh "../codeql/codeql database analyze /codeql-dbs/repo-db javascript-security-and-quality.qls --format=sarif-latest --output=./temp/results-js.sarif" 59 | } 60 | } 61 | 62 | // Upload results to GitHub 63 | // Uploads a SARIF file to GitHub code scanning. 64 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 65 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 66 | // This token must have the security\_events scope. 67 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 68 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 69 | stage('Upload results to GitHub') { 70 | steps { 71 | sh "/path/to/cli/codeql github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 72 | // example: sh "../codeql/codeql github upload-results --sarif=./temp/results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 73 | } 74 | } 75 | 76 | // Other stages go here 77 | 78 | } 79 | 80 | } -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-windows: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Windows environment 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz" 31 | sh "tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\" 32 | sh "del ..\codeql-bundle-win64.tar.gz" 33 | sh "cd ..\; set PATH=%cd%\codeql;%PATH%" 34 | } 35 | } 36 | 37 | // Create CodeQL Database 38 | // Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 39 | // Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 40 | // and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 41 | // Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 42 | stage('Create CodeQL Database') { 43 | steps { 44 | sh "\path\to\cli\codeql.exe database create [--language=[,...]] [--github-auth-stdin] [--github-url=] [--source-root=] [--threads=] [--ram=] [--command=] [--mode=] [--extractor-option=] ... -- " 45 | // example: sh "..\codeql\codeql.exe database create \codeql-dbs\repo-db --language=javascript --source-root \checkouts\my-repo" 46 | } 47 | } 48 | 49 | 50 | // Analyze CodeQL Database 51 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 52 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 53 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 54 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 55 | stage('Analyze CodeQL Database') { 56 | steps { 57 | sh "\path\to\cli\codeql.exe database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 58 | // example: sh "..\codeql\codeql.exe database analyze \codeql-dbs\repo-db javascript-security-and-quality.qls --format=sarif-latest --output=.\temp\results-js.sarif" 59 | } 60 | } 61 | 62 | // Upload results to GitHub 63 | // Uploads a SARIF file to GitHub code scanning. 64 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 65 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 66 | // This token must have the security\_events scope. 67 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 68 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 69 | stage('Upload results to GitHub') { 70 | steps { 71 | sh "\path\to\cli\codeql.exe github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 72 | // example: sh "..\codeql\codeql.exe github upload-results --sarif=.\temp\results-js.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 73 | } 74 | } 75 | 76 | // Other stages go here 77 | 78 | } 79 | 80 | } -------------------------------------------------------------------------------- /_deprecated/TravisCI-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample .travis.yml shows how to configure a TravisCI workflow to analyze a repository using the CodeQL Runner 15 | # The example assumes a simple Java application built using Maven 16 | 17 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 18 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 19 | 20 | # GitHub Docs "Running CodeQL Runner in your CI system" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system 21 | 22 | language: java 23 | jdk: 24 | - oraclejdk15 25 | 26 | arch: amd64 27 | os: linux 28 | dist: focal 29 | 30 | branches: 31 | only: 32 | - main 33 | 34 | install: 35 | - java --version 36 | - ./mvnw clean install 37 | - ./mvnw test 38 | 39 | script: 40 | # STEP 1 (OPTIONAL): Download CodeQL Runner 41 | # The CodeQL Runner can either be download as part of the pipeline, 42 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace ./codeql-runner-linux in subsequent stages with the absolute path to the download location. 43 | - wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux 44 | - chmod +x codeql-runner-linux #Give CodeQL Runner executable access 45 | 46 | # STEP 2: Initialize the CodeQL Runner 47 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable 48 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 49 | # In this example, the security-extended suite is used, which includes both security queries and code quality queries 50 | - echo $GITHUB_TOKEN | ./codeql-runner-linux init --repository org/repo --github-url https://github.com --queries security-extended --github-auth-stdin 51 | 52 | # STEP 3: Set BUILD step environment variables (only required for compiled languages) 53 | # Set the generated environment variables so they are available for subsequent commands 54 | # This script created as part of the ./codeql-runner-linux init step and referenced in init logs 55 | - . ${TRAVIS_BUILD_DIR}/codeql-runner/codeql-env.sh # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 56 | 57 | # STEP 4: Build codebase (only required for compiled languages) 58 | # Example 1: Use the AutoBuilder 59 | # The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 60 | # Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 61 | - ./codeql-runner-linux autobuild --language java # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 62 | # Example 2: Providing manual build command 63 | # Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 64 | # For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 65 | # command: 'mvn clean install -DskipTests=true -s settings/settings.xml' 66 | 67 | # STEP 5: Analyze CodeQL database and send results to GitHub 68 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 69 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 70 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 71 | # Once the analysis is done, the results will be uploaded to GitHub 72 | # Specifying the --ram attribute puts a ceiling on memory resources used by CodeQL runner, use this if you experience errors where CodeQL runner runs out of memory resources 73 | - echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository org/repo --github-url https://github.com --commit $TRAVIS_COMMIT --ref refs/heads/main --github-auth-stdin 74 | -------------------------------------------------------------------------------- /_deprecated/Azure-Pipelines-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL Runner 15 | # The example assumes a C# application built using Visual Studio Build 16 | 17 | trigger: 18 | branches: 19 | include: 20 | - '*' 21 | paths: 22 | exclude: 23 | - test/* 24 | - doc/* 25 | - lib/* 26 | include: 27 | - src/* 28 | resources: 29 | repositories: 30 | - repository: templates 31 | type: github 32 | name: octo-org/MyDevOpsTemplates 33 | endpoint: octo-org 34 | 35 | variables: 36 | - name: msbuildArgs 37 | value: /p:OutDir=$(Build.ArtifactStagingDirectory) /p:UseSharedCompilation=false 38 | 39 | stages: 40 | - stage: __default 41 | jobs: 42 | - job: Job 43 | workspace: 44 | clean: all 45 | steps: 46 | 47 | # Initialize the CodeQL Runner 48 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token. In this case, stored in a variable MyGitHubToken 49 | # In this example, the CodeQL CLI has been predownloaded and placed in a directory on the runner. If --codeql-path is ommitted, the runner will automatically download the CodeQL CLI 50 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 51 | # In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 52 | - task: CmdLine@1 53 | displayName: CodeQL Initialization 54 | inputs: 55 | script: "%CodeQLRunner%\\codeql-runner-win.exe init --repository octo-org/example-repo-2 --github-url https://github.com --github-auth $(MyGitHubToken) --codeql-path %CodeQLRunner%\\Bundle\\codeql\\codeql.exe --queries security-and-quality" 56 | 57 | # Set the generated environment variables so they are available for subsequent commands 58 | # We use a simple PowerShell script to set the appropriate variables required for Azure Pipelines 59 | - task: PowerShell@1 60 | displayName: Set CodeQL Environment Variables 61 | inputs: 62 | targetType: inline 63 | script: > 64 | $json = Get-Content $(System.DefaultWorkingDirectory)/codeql-runner/codeql-env.json | ConvertFrom-Json 65 | $json.PSObject.Properties | ForEach-Object { 66 | $template = "##vso[task.setvariable variable=" 67 | $template += $_.Name 68 | $template += "]" 69 | $template += $_.Value 70 | echo "$template" 71 | } 72 | 73 | # It is often required to perform certain pre-build tasks prior to executing the build. In this example, we restore our NuGet dependencies 74 | - task: NuGetCommand@1 75 | condition: and(succeeded(), eq('', '')) 76 | inputs: 77 | command: restore 78 | restoreSolution: '**/*.sln' 79 | displayName: Restore NuGet Dependencies 80 | 81 | # Execute the build. Note the msbuildArgs variable, which is configured above. We execute a clean build, in order to remove any existing build-artifacts prior to the build 82 | - task: VSBuild@1 83 | inputs: 84 | solution: '**/*.sln' 85 | msbuildArgs: $(msbuildArgs) 86 | platform: Any CPU 87 | configuration: Release 88 | clean: True 89 | displayName: Visual Studio Build 90 | 91 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 92 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token. In this case, stored in a variable MyGitHubToken 93 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 94 | # Once the analysis is done, the results will be uploaded to GitHub 95 | - task: CmdLine@2 96 | displayName: CodeQL Analyze 97 | inputs: 98 | script: '%CodeQLRunner%\codeql-runner-win.exe analyze --repository octo-org/example-repo-2 --commit $(Build.SourceVersion) --ref $(Build.SourceBranch) --github-url https://github.com --github-auth $(MyGitHubToken)' 99 | 100 | # Other tasks go here 101 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # When a repository is stored in GitHub 3 | # To run Codeql in azure repos see: https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops 4 | # This example assumes a Linux environment 5 | 6 | # The pipeline needs have a variable called GITHUB_TOKEN (don't forget to set it as secret) 7 | # This secret will contain a personal access token. Either classic or fine grained (preferably) 8 | # The Clasic token requires the following scopes: Repo 9 | # The fine grained token requires the following permissions: Code scanning alerts (read and write) 10 | 11 | # Adapt the trigger to your needs 12 | trigger: 13 | branches: 14 | include: 15 | - '*' 16 | paths: 17 | exclude: 18 | - test/* 19 | - doc/* 20 | - lib/* 21 | include: 22 | - src/* 23 | 24 | variables: 25 | # Language to scan. Possible values 26 | # cpp, csharp, go, java, javascript, python, ruby, swift 27 | language: javascript 28 | 29 | stages: 30 | - stage: 31 | jobs: 32 | - job: 33 | displayName: CodeQL analyze 34 | 35 | pool: 36 | vmImage: 'ubuntu-latest' 37 | workspace: 38 | clean: all 39 | steps: 40 | 41 | # OPTIONAL: Download CodeQL CLI Bundle 42 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 43 | # or pre-downloaded and placed on the CI/CD build machine(s). In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from 44 | # https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 45 | - script: | 46 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz \ 47 | -O ../codeql-bundle-linux64.tar.gz \ 48 | --show-progress \ 49 | --progress=dot:mega 50 | 51 | tar xzvf ../codeql-bundle-linux64.tar.gz -C ../ 52 | rm ../codeql-bundle-linux64.tar.gz 53 | 54 | # Make sure CLI is on the path 55 | cli_path="$(cd ..; pwd)/codeql" 56 | echo "##vso[task.prependpath]$cli_path" 57 | 58 | sarif_file=$(mktemp) 59 | 60 | echo "##vso[task.setvariable variable=sarif_file;]$sarif_file" 61 | displayName: Download CodeQL CLI Bundle 62 | 63 | # Create CodeQL Database 64 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 65 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. For complex build instructions, consider placing build commands inside a script 66 | # and pass that to --command, or use indirect build tracing (aka. "sandwich mode"). 67 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 68 | - script: | 69 | codeql database create db \ 70 | --language=$(language) \ 71 | --github-url=https://github.com/ 72 | 73 | displayName: Create CodeQL Database 74 | 75 | # Analyze CodeQL Database 76 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 77 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 78 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 79 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 80 | - script: | 81 | codeql database analyze \ 82 | --format=sarif-latest \ 83 | --sarif-category="$(language)" \ 84 | --sarif-add-baseline-file-info \ 85 | --output="$(sarif_file)" \ 86 | db $(language)-security-and-quality.qls 87 | displayName: Analyze CodeQL Database 88 | 89 | # Upload results to GitHub 90 | # Uploads a SARIF file to GitHub code scanning. 91 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 92 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set. 93 | # This token must have the security\_events scope. 94 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 95 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 96 | - script: | 97 | echo "" 98 | codeql github upload-results \ 99 | --sarif="$(sarif_file)" \ 100 | --github-url=https://github.com/ \ 101 | --repository="$(Build.Repository.Name)" \ 102 | --ref="$(Build.SourceBranch)" \ 103 | --commit="$(Build.SourceVersion)" 104 | displayName: Upload results to GitHub $(Build.Repository.Name) 105 | env: 106 | GITHUB_TOKEN: $(GITHUB_TOKEN) 107 | 108 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux-multibranch: -------------------------------------------------------------------------------- 1 | def isPRBuild() { 2 | return (BRANCH_NAME ==~ /^PR-\d+$/) 3 | } 4 | 5 | def getPRNumber() { 6 | def matcher = (BRANCH_NAME =~ /^PR-(?\d+)$/) 7 | assert matcher.matches() 8 | return matcher.group('PR') 9 | } 10 | 11 | def getPRRef() { 12 | return isPRBuild() ? "refs/pull/${getPRNumber()}/${GITHUB_PR_REF_TYPE}" : "refs/heads/${BRANCH_NAME}" 13 | } 14 | 15 | pipeline { 16 | 17 | agent any 18 | 19 | environment { 20 | // The Jenkins Credentials ID (as a secret text credential) for your GitHub PAT. 21 | GITHUB_CREDS = credentials('github-pat-as-secret-text') 22 | // The repo default branch name 23 | DEFAULT_BRANCH = 'main' 24 | // The type of ref that will be checked out for a job initiated by a GitHub PR. 'merge' for the default PR merge commit, 'head' for the head of the branch being merged. 25 | GITHUB_PR_REF_TYPE = 'head' 26 | PR_REF = getPRRef() 27 | // The name of the GitHub repository to run the analysis on 28 | GITHUB_REPO = 'example/java-app' 29 | MAVEN_ARGS = '-batch-mode --no-transfer-progress' 30 | MAVEN_OPTS = '-Dmaven.test.skip=true' 31 | // See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed 32 | // for supported languages. 33 | // For Java and Kotlin use 'java', for JavaScript and TypeScript use 'javascript', for C and C++ use 'cpp'. 34 | CODEQL_LANGUAGE = 'java' 35 | // See https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create#--build-modemode for build mode options 36 | CODEQL_BUILD_MODE = 'manual' 37 | CODEQL_BUILD_COMMAND = './mvnw clean package' 38 | CODEQL_QUERY_SUITE = "codeql/${CODEQL_LANGUAGE}-queries:codeql-suites/${CODEQL_LANGUAGE}-security-extended.qls" 39 | // CODEQL_BUNDLE_URL = 'https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz' 40 | // Path to CodeQL bundle folder. If using the curl download option below this is the extraction location. 41 | // It is recommended to provide CodeQL via a pre-populated tool cache directory rather than download during the pipeline execution. 42 | CODEQL_DIR = '/tools/codeql' 43 | // Memory limit for CodeQL, this must be set to less than the pod limit if running in Kubernetes, approx 80% of the limit is appropriate. 44 | CODEQL_MEMORY = '3276' 45 | // The Dependency Submission Action executable archive 46 | // See https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml?query=branch:main for the latest version. 47 | // Latest at last edit: https://github.com/advanced-security/maven-dependency-submission-action/actions/runs/8876993169/artifacts/1456204717 48 | // DEPENDENCY_SUBMISSION_EXECUTABLES_URL = 'https://api.github.com/repos/advanced-security/maven-dependency-submission-action/actions/artifacts/1456204717/zip' 49 | // The Dependency Submission Action executable 50 | // See https://github.com/advanced-security/maven-dependency-submission-action#command-line-usage for options 51 | DEPENDENCY_SUBMISSION_EXECUTABLE = '/tools/dep-submission/maven-dependency-submission-action-linux' 52 | } 53 | 54 | stages { 55 | stage('Run security analysis') { 56 | parallel { 57 | stage('Run CodeQL analysis') { 58 | when { 59 | anyOf { 60 | branch DEFAULT_BRANCH 61 | expression { CHANGE_ID != null && CHANGE_AUTHOR != 'dependabot[bot]'} 62 | } 63 | } 64 | steps { 65 | script { 66 | // sh 'rm -rf ${CODEQL_DIR} && mkdir -p ${CODEQL_DIR}' 67 | // sh 'curl -L -sS -o codeql-bundle.tar.gz -s ${CODEQL_BUNDLE_URL}' 68 | // sh 'tar --strip-components=1 -xzf codeql-bundle.tar.gz -C ${CODEQL_DIR}/' 69 | // sh 'rm codeql-bundle.tar.gz' 70 | sh '${CODEQL_DIR}/codeql database create ./codeql-db \ 71 | --ram ${CODEQL_MEMORY} \ 72 | --language ${CODEQL_LANGUAGE} \ 73 | --overwrite \ 74 | ${CODEQL_BUILD_MODE:+--build-mode} ${CODEQL_BUILD_MODE} \ 75 | ${CODEQL_BUILD_COMMAND:+--command} "${CODEQL_BUILD_COMMAND}"' 76 | sh '${CODEQL_DIR}/codeql database analyze ./codeql-db \ 77 | --ram ${CODEQL_MEMORY} \ 78 | --format=sarif-latest \ 79 | --output=codeql-results.sarif \ 80 | ${CODEQL_QUERY_SUITE}' 81 | sh 'echo $GITHUB_CREDS | ${CODEQL_DIR}/codeql github upload-results \ 82 | --github-auth-stdin \ 83 | --sarif=codeql-results.sarif \ 84 | --repository=${GITHUB_REPO} \ 85 | --ref=${PR_REF} \ 86 | --commit=${GIT_COMMIT}' 87 | } 88 | } 89 | } 90 | stage('Submit dependency snapshot') { 91 | when { 92 | anyOf { 93 | branch DEFAULT_BRANCH 94 | expression { CHANGE_ID != null } 95 | } 96 | } 97 | steps { 98 | // sh 'curl -L -s \ 99 | // -H "Accept: application/vnd.github+json" \ 100 | // -H "Authorization: Bearer ${GITHUB_CREDS}" \ 101 | // -H "X-GitHub-Api-Version: 2022-11-28" \ 102 | // ${DEPENDENCY_SUBMISSION_EXECUTABLES_URL} \ 103 | // -o executables.zip' 104 | // sh 'unzip executables.zip' 105 | // sh 'chmod +x ./${DEPENDENCY_SUBMISSION_EXECUTABLE}' 106 | sh 'PATH="./:${PATH}" ${DEPENDENCY_SUBMISSION_EXECUTABLE} \ 107 | -r ${GITHUB_REPO} \ 108 | -t ${GITHUB_CREDS} \ 109 | -b ${PR_REF} \ 110 | -s ${GIT_COMMIT}' 111 | } 112 | } 113 | } 114 | } 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /CircleCI/CircleCI-template-linux.yml: -------------------------------------------------------------------------------- 1 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | orbs: # declare what orbs we are going to use 10 | node: circleci/node@4.5.0 # the node orb provides common node-related configuration 11 | 12 | version: 2.1 13 | jobs: 14 | codeql: 15 | docker: 16 | - image: 'cimg/base:2021.05' 17 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 18 | steps: 19 | - checkout: { path: "my-app" } # checkout codebase in own directory, separate from codeql cli bundle so it does not analyze itself 20 | - node/install 21 | - run: 22 | # OPTIONAL: Download CodeQL CLI Bundle 23 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 24 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 25 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 26 | name: Download CodeQL CLI 27 | command: | 28 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O codeql-bundle-linux64.tar.gz 29 | tar xzvf codeql-bundle-linux64.tar.gz 30 | rm codeql-bundle-linux64.tar.gz 31 | export PATH=$(pwd)/codeql:$PATH 32 | # Make a note of the current directory here and use that for /path/to/cli in subsequent stages 33 | # You can add the extracted codeql bundle to your PATH. Ex: PATH=/path/to/cli:$PATH 34 | - run: 35 | # Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | name: Create CodeQL Database 40 | # REF command: ''/path/to/cli/codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 41 | command: | 42 | mkdir codeql-dbs 43 | ./codeql/codeql database create ./codeql-dbs/repo-db --language=javascript --source-root=./my-app 44 | - run: 45 | # Analyze CodeQL Database 46 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 47 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 48 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 49 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 50 | name: Analyze CodeQL Database 51 | # REF command: '/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | command: | 53 | cd codeql && mkdir temp 54 | ./codeql database analyze ../codeql-dbs/repo-db javascript-code-scanning.qls --format=sarif-latest --output=./temp/results-js.sarif 55 | 56 | # Upload results to GitHub 57 | 58 | # Uploads a SARIF file to GitHub code scanning. 59 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 60 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 61 | # This token must have the security\_events scope. 62 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 63 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 64 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 65 | 66 | # Since CircleCI does not track the github event reference in a single variable, we need to do an if/else to push right context back for pull requests vs branch commits 67 | - when: 68 | condition: ${CIRCLE_PULL_REQUEST} 69 | steps: 70 | - run: 'echo $GITHUB_TOKEN | ./codeql/codeql github upload-results --repository=org/example-app --ref=refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --commit=$CIRCLE_SHA1 --sarif=./codeql/temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 71 | - unless: 72 | condition: ${CIRCLE_PULL_REQUEST} 73 | steps: 74 | - run: 'echo $GITHUB_TOKEN | ./codeql/codeql github upload-results --repository=org/example-app --ref=refs/heads/${CIRCLE_BRANCH} --commit=$CIRCLE_SHA1 --sarif=./codeql/temp/results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 75 | 76 | workflows: 77 | version: 2 78 | codeql-analysis: 79 | jobs: 80 | - codeql 81 | -------------------------------------------------------------------------------- /CircleCI/CircleCI-template-windows.yml: -------------------------------------------------------------------------------- 1 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple javascript application built using node on Windows 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | orbs: # declare what orbs we are going to use 10 | node: circleci/node@4.5.0 # the node orb provides common node-related configuration 11 | 12 | version: 2.1 13 | jobs: 14 | codeql: 15 | docker: 16 | - image: 'cimg/base:2021.05' 17 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 18 | steps: 19 | - checkout: { path: "my-app" } # checkout codebase in own directory, separate from codeql cli bundle so it does not analyze itself 20 | - node/install 21 | - run: 22 | # OPTIONAL: Download CodeQL CLI Bundle 23 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 24 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace \path\to\cli in subsequent stages with the absolute path to the download location. 25 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 26 | name: Download CodeQL CLI 27 | command: | 28 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O codeql-bundle-win64.tar.gz 29 | tar xzvf codeql-bundle-win64.tar.gz 30 | del codeql-bundle-win64.tar.gz 31 | set PATH=%cd%\codeql;%PATH% 32 | # Make a note of the current directory here and use that for \path\to\cli in subsequent stages 33 | # You can add the extracted codeql bundle to your PATH. Ex: PATH=\path\to\cli:$PATH 34 | - run: 35 | # Create CodeQL Database 36 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 37 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 38 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 39 | name: Create CodeQL Database 40 | # REF command: ''\path\to\cli\codeql database create --language= [--source-root=] [--threads=] [--command=] [--mode=] ... [--] '' 41 | command: | 42 | mkdir codeql-dbs 43 | .\codeql\codeql.exe database create .\codeql-dbs\repo-db --language=javascript --source-root=.\my-app 44 | - run: 45 | # Analyze CodeQL Database 46 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 47 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 48 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 49 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 50 | name: Analyze CodeQL Database 51 | # REF command: '\path\to\cli\codeql database analyze --format= --output= [--threads=] [--ram=] ... [--] ...' 52 | command: | 53 | cd codeql && mkdir temp 54 | .\codeql.exe database analyze ..\codeql-dbs\repo-db javascript-code-scanning.qls --format=sarif-latest --output=.\temp\results-js.sarif 55 | 56 | # Upload results to GitHub 57 | 58 | # Uploads a SARIF file to GitHub code scanning. 59 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 60 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 61 | # This token must have the security\_events scope. 62 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 63 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 64 | # REF command: '\path\to\cli\codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 65 | 66 | # Since CircleCI does not track the github event reference in a single variable, we need to do an if/else to push right context back for pull requests vs branch commits 67 | - when: 68 | condition: ${CIRCLE_PULL_REQUEST} 69 | steps: 70 | - run: 'echo $GITHUB_TOKEN | .\codeql\codeql.exe github upload-results --repository=org/example-app --ref=refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --commit=$CIRCLE_SHA1 --sarif=.\codeql\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 71 | - unless: 72 | condition: ${CIRCLE_PULL_REQUEST} 73 | steps: 74 | - run: 'echo $GITHUB_TOKEN | .\codeql\codeql.exe github upload-results --repository=org/example-app --ref=refs/heads/${CIRCLE_BRANCH} --commit=$CIRCLE_SHA1 --sarif=.\codeql\temp\results-js.sarif --github-url=https://github.com/ --github-auth-stdin' 75 | 76 | workflows: 77 | version: 2 78 | codeql-analysis: 79 | jobs: 80 | - codeql 81 | -------------------------------------------------------------------------------- /harness/codeql-scan.yaml: -------------------------------------------------------------------------------- 1 | # This sample codeql-scan.yaml shows how to configure a Harness workflow to analyze a repository using the CodeQL CLI 2 | # The example assumes a simple Python application built using node on Linux 3 | 4 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 5 | # Currently this workflow runs on pull request, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 6 | 7 | # GitHub Docs "Running CodeQL CLI in your CI System" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-cli-in-your-ci-system 8 | 9 | pipeline: 10 | identifier: Example CodeQL Scan in Harness 11 | name: Scan 12 | orgIdentifier: default 13 | projectIdentifier: default_project 14 | properties: 15 | ci: 16 | codebase: 17 | build: <+input> 18 | connectorRef: YOUR ORG 19 | repoName: YOUR REPO 20 | stages: 21 | - stage: 22 | identifier: Scan 23 | name: CodeQL 24 | spec: 25 | caching: 26 | enabled: true 27 | paths: [] 28 | cloneCodebase: true 29 | execution: 30 | steps: 31 | - step: 32 | identifier: setupvirtualenvironment 33 | name: setup virtual environment 34 | spec: 35 | command: |- 36 | python3 -m venv .venv 37 | . .venv/bin/activate 38 | python3 -m pip install -r requirements.txt 39 | python3 -m pip install -e . 40 | timeout: "" 41 | type: Run 42 | - step: 43 | # OPTIONAL: Download CodeQL CLI Bundle 44 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline, 45 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 46 | # In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 47 | type: Run 48 | name: Download CodeQL Bundle 49 | identifier: Download_CodeQL_Bundle 50 | spec: 51 | shell: Sh 52 | command: |- 53 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 54 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 55 | sh "rm ../codeql-bundle-linux64.tar.gz" 56 | sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 57 | - step: 58 | # Create CodeQL Database 59 | # Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products. 60 | # Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used. 61 | # Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/ 62 | type: Run 63 | name: Create Database 64 | identifier: Create_Database 65 | spec: 66 | shell: Sh 67 | command: sh "codeql database create --language=python db" 68 | - step: 69 | # Analyze CodeQL Database 70 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 71 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 72 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 73 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 74 | type: Run 75 | name: Analyze Database 76 | identifier: Analyze_Database 77 | spec: 78 | shell: Sh 79 | command: sh "codeql database analyze /codeql-dbs/repo-db javascript-security-and-quality.qls --format=sarif-latest --output=./temp/results-js.sarif" 80 | - step: 81 | # Upload results to GitHub 82 | 83 | # Uploads a SARIF file to GitHub code scanning. 84 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 85 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 86 | # This token must have the security\_events scope. 87 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https:#docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 88 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 89 | # REF command: '/path/to/cli/codeql github upload-results --repository= --ref= --commit= --sarif= [--github-auth-stdin] [--checkout-path=] [--github-url=] ...' 90 | type: Run 91 | name: Upload CodeQL Results 92 | identifier: Upload_CodeQL_Results 93 | spec: 94 | shell: Sh 95 | command: sh "codeql github upload-results --sarif=./temp/results-py.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 96 | platform: 97 | os: Linux 98 | arch: Amd64 99 | runtime: 100 | type: Cloud 101 | spec: {} 102 | type: CI 103 | description: "" 104 | -------------------------------------------------------------------------------- /_deprecated/CircleCI-template-with-codeql-runner.yml: -------------------------------------------------------------------------------- 1 | ██████╗ ███████╗██████╗ ██████╗ ███████╗ ██████╗ █████╗ ████████╗███████╗██████╗ 2 | ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗ 3 | ██║ ██║█████╗ ██████╔╝██████╔╝█████╗ ██║ ███████║ ██║ █████╗ ██║ ██║ 4 | ██║ ██║██╔══╝ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║ 5 | ██████╔╝███████╗██║ ██║ ██║███████╗╚██████╗██║ ██║ ██║ ███████╗██████╔╝ 6 | ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═════╝ 7 | 8 | The CodeQL Runner has been deprecated as of version 2.6.2 of the CodeQL CLI. 9 | All functionality is now natively available in the CodeQL CLI. 10 | Please use the CodeQL CLI Bundle instead of the CodeQL Runner. 11 | 12 | ################################################################################# 13 | 14 | # This sample config.yml shows how to configure a CircleCI workflow to analyze a repository using the CodeQL Runner 15 | # The example assumes a simple Java application built using Maven 16 | 17 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable GITHUB_TOKEN 18 | # Currently this workflow runs on commit, you will need to setup triggers for workflow to run on certain branches, PR, scheduled, etc. 19 | 20 | # GitHub Docs "Running CodeQL Runner in your CI system" - https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system 21 | 22 | version: 2.1 23 | jobs: 24 | codeql: 25 | docker: 26 | - image: 'cimg/base:2021.05' 27 | resource_class: xlarge # https://circleci.com/docs/2.0/configuration-reference/#docker-executor 28 | steps: 29 | - checkout # Checkout codebase 30 | - run: 31 | # OPTIONAL: Download CodeQL Runner 32 | # The CodeQL Runner can either be download as part of the pipeline, 33 | # or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace ./codeql-runner-linux in subsequent stages with the absolute path to the download location. 34 | name: Download CodeQL Runner 35 | command: 'wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux' 36 | - run: 37 | name: Give CodeQL Runner executable access 38 | command: 'chmod +x codeql-runner-linux' 39 | - run: 40 | # Initialize the CodeQL Runner 41 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token stored as pipeline variable 42 | # Full documentation for init step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#init 43 | # In this example, the security-and-quality suite is used, which includes both security queries and code quality queries 44 | name: Initialize CodeQL Runner 45 | command: 'echo $GITHUB_TOKEN | ./codeql-runner-linux init --repository octo-org/example-repo-2 --github-url https://github.com --queries security-extended --github-auth-stdin' 46 | - run: 47 | # Set the generated environment variables so they are available for subsequent commands 48 | # This script created as part of the ./codeql-runner-linux init step and referenced in init logs 49 | name: Set CodeQL Runner BUILD environment variables # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 50 | command: '. ${CIRCLE_WORKING_DIRECTORY}/codeql-runner/codeql-env.sh' 51 | - run: 52 | # Example 1: Use the AutoBuilder 53 | # The CodeQL Runner comes with a sopfisticated AutoBuilder, which attempts to build the code based on files in the repository 54 | # Full documentation for autobuild step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#autobuild 55 | name: Build codebase # REMOVE this step if you are not scanning any compiled languages (ex. Java) and only scanning scripting languages (ex. JavaScript) 56 | command: ./codeql-runner-linux autobuild --language java 57 | # Example 2: Providing manual build command 58 | # Alternatively, we can run the build command to compile the code. In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 59 | # For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 60 | # command: 'mvn clean install -DskipTests=true -s settings/settings.xml' 61 | # - run: 62 | # Optional step if you experience errors where CodeQL runner runs out of memory resources 63 | # name: Tune malloc fragmentation threshold 64 | # command: 'export MALLOC_MMAP_THRESHOLD_=131072' 65 | 66 | 67 | # Analyze CodeQL database and send results to GitHub 68 | 69 | # Analyze the snapshot database created as part of the build, by running the selected queries against it 70 | # Assumes an existing GitHub Apps or personal access token: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 71 | # Full documentation for analyze step: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system#analyze 72 | # Once the analysis is done, the results will be uploaded to GitHub 73 | # Specifying the --ram attribute puts a ceiling on memory resources used by CodeQL runner, use this if you experience errors where CodeQL runner runs out of memory resources 74 | - when: 75 | condition: ${CIRCLE_PULL_REQUEST} 76 | steps: 77 | - run: 'echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --commit $CIRCLE_SHA1 --ref refs/pull/${CIRCLE_PULL_REQUEST##*/}/head --github-auth-stdin' 78 | - unless: 79 | condition: ${CIRCLE_PULL_REQUEST} 80 | steps: 81 | - run: 'echo $GITHUB_TOKEN | ./codeql-runner-linux analyze --repository octo-org/example-repo-2 --github-url https://github.com --commit $CIRCLE_SHA1 --ref refs/heads/${CIRCLE_BRANCH} --github-auth-stdin' 82 | workflows: 83 | version: 2 84 | codeql-analysis: 85 | jobs: 86 | - codeql 87 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-windows-with-indirect-build-tracing: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Windows environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -O ..\codeql-bundle-win64.tar.gz" 31 | sh "tar xzvf ..\codeql-bundle-win64.tar.gz -C ..\" 32 | sh "del ..\codeql-bundle-win64.tar.gz" 33 | } 34 | } 35 | 36 | stage('Build and analyze code') { 37 | // Put CodeQL on the PATH 38 | steps { 39 | sh "set PATH=\path\to\cli;%PATH%" 40 | // example: sh "cd ..\; set PATH=%cd%\codeql;%PATH%" 41 | } 42 | 43 | // Initialize CodeQL 44 | // Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 45 | // Prior to running any build commands, the generated scripts containing environment variables must be sourced. 46 | // Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 47 | steps { 48 | sh "\path\to\cli\codeql.exe init --source-root= [--language=[,...]] [--github-auth-stdin] [--github-url=] --begin-tracing " 49 | // example: sh "..\codeql\codeql.exe init --source-root \checkouts\my-repo --language=java --begin-tracing \codeql-dbs\repo-db" 50 | } 51 | 52 | // Source environment variables 53 | // Set the generated environment variables so they are available for subsequent commands 54 | steps { 55 | sh "\path\to\script.bat" 56 | // example: sh "\codeql-dbs\repo-db\temp\tracingEnvironment\start-tracing.bat" 57 | } 58 | 59 | // Run build commands 60 | // In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 61 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 62 | steps { 63 | sh "mvn clean install -DskipTests=true -s settings\settings.xml" 64 | } 65 | 66 | // Finalize CodeQL Database 67 | // Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 68 | // This needs to happen before the new database can be queried. 69 | // Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 70 | steps { 71 | sh "\path\to\cli\codeql.exe database finalize [--dbscheme=] [--threads=] [--ram=] [--mode=] ... -- " 72 | // example: sh "..\codeql\codeql.exe database finalize \codeql-dbs\repo-db" 73 | } 74 | 75 | // Analyze CodeQL Database 76 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 77 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 78 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 79 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 80 | steps { 81 | sh "\path\to\cli\codeql.exe database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 82 | // example: sh "..\codeql\codeql.exe database analyze \codeql-dbs\repo-db java-security-and-quality.qls --format=sarif-latest --output=.\temp\results-java.sarif" 83 | } 84 | } 85 | 86 | // Upload results to GitHub 87 | // Uploads a SARIF file to GitHub code scanning. 88 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 89 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 90 | // This token must have the security\_events scope. 91 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 92 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 93 | stage('Upload results to GitHub') { 94 | steps { 95 | sh "\path\to\cli\codeql.exe github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 96 | // example: sh "..\codeql\codeql github upload-results --sarif=.\temp\results-java.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 97 | } 98 | } 99 | 100 | // Other stages go here 101 | 102 | } 103 | 104 | } -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-linux-with-indirect-build-tracing.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # This example assumes a Linux environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 3 | 4 | # Use this when a repository is stored in GitHub 5 | # To run Codeql in azure repos see: https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops 6 | 7 | # The pipeline needs have a variable called GITHUB_TOKEN (don't forget to set it as secret) 8 | # This secret will contain a personal access token. Either classic or fine grained (preferably) 9 | # The Clasic token requires the following scopes: Repo 10 | # The fine grained token requires the following permissions: Code scanning alerts (read and write) 11 | 12 | # Adapt the trigger to your needs 13 | trigger: 14 | branches: 15 | include: 16 | - '*' 17 | paths: 18 | exclude: 19 | - test/* 20 | - doc/* 21 | - lib/* 22 | include: 23 | - src/* 24 | 25 | variables: 26 | # Language to scan. Possible values 27 | # cpp, csharp, go, java, javascript, python, ruby, swift 28 | language: java 29 | 30 | stages: 31 | - stage: 32 | jobs: 33 | - job: 34 | displayName: CodeQL analyze 35 | 36 | pool: 37 | vmImage: 'ubuntu-latest' 38 | workspace: 39 | clean: all 40 | steps: 41 | 42 | # OPTIONAL: Download CodeQL CLI Bundle 43 | # The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 44 | # or pre-downloaded and placed on the CI/CD build machine(s). In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from 45 | # https://github.com/github/codeql-action/releases, extract it and place it on the PATH. 46 | - script: | 47 | wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz \ 48 | -O ../codeql-bundle-linux64.tar.gz \ 49 | --show-progress \ 50 | --progress=dot:mega 51 | 52 | tar xzvf ../codeql-bundle-linux64.tar.gz -C ../ 53 | rm ../codeql-bundle-linux64.tar.gz 54 | 55 | # Make sure CLI is on the path 56 | cli_path="$(cd ..; pwd)/codeql" 57 | echo "##vso[task.prependpath]$cli_path" 58 | 59 | sarif_file=$(mktemp) 60 | 61 | echo "##vso[task.setvariable variable=sarif_file;]$sarif_file" 62 | displayName: Download CodeQL CLI Bundle 63 | 64 | # Initialize CodeQL 65 | # Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 66 | # Prior to running any build commands, the generated scripts containing environment variables must be sourced. 67 | # Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 68 | - script: | 69 | # You may need to change --source-root if checking out multiple repositories 70 | codeql database init db --language="$(language)" --source-root="$(Build.SourcesDirectory)" --begin-tracing 71 | displayName: Initialize CodeQL database 72 | 73 | - script: | 74 | # Starts tracing and exports to the rest of the pipeline any environment variable it has been 75 | # defined by the start-tracing script 76 | env_before=$(printenv | cut -d '=' -f 1 | sort) 77 | . db/temp/tracingEnvironment/start-tracing.sh 78 | env_after=$(printenv | cut -d '=' -f 1 | sort) 79 | 80 | comm -13 <(echo "$env_before") <(echo "$env_after") | while read -r env_name; do 81 | echo "##vso[task.setvariable variable=$env_name;]${!env_name}" 82 | done 83 | displayName: Start CodeQL tracing 84 | 85 | # Insert here your build steps. 86 | # Adding a java build as an example 87 | - script: | 88 | mvn clean install -DskipTests=true 89 | displayName: Build Java Application 90 | 91 | # Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 92 | # This needs to happen before the new database can be queried. 93 | # Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 94 | - script: | 95 | codeql database finalize db 96 | displayName: Finalize CodeQL database 97 | 98 | # Analyze CodeQL Database 99 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 100 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 101 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 102 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 103 | - script: | 104 | codeql database analyze \ 105 | --format=sarif-latest \ 106 | --sarif-category="$(language)" \ 107 | --sarif-add-baseline-file-info \ 108 | --output="$(sarif_file)" \ 109 | db $(language)-security-and-quality.qls 110 | displayName: Analyze CodeQL Database 111 | 112 | # Upload results to GitHub 113 | # Uploads a SARIF file to GitHub code scanning. 114 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 115 | # A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set. 116 | # This token must have the security\_events scope. 117 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 118 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 119 | - script: | 120 | echo "" 121 | codeql github upload-results \ 122 | --sarif="$(sarif_file)" \ 123 | --github-url=https://github.com/ \ 124 | --repository="$(Build.Repository.Name)" \ 125 | --ref="$(Build.SourceBranch)" \ 126 | --commit="$(Build.SourceVersion)" 127 | displayName: Upload results to GitHub $(Build.Repository.Name) 128 | env: 129 | GITHUB_TOKEN: $(GITHUB_TOKEN) 130 | 131 | -------------------------------------------------------------------------------- /Jenkins/Jenkinsfile-template-linux-with-indirect-build-tracing: -------------------------------------------------------------------------------- 1 | /* 2 | This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle 3 | This example assumes a Linux environment and takes advantage of indirect build tracing ("sandwich mode") to leverage an existing set of build command 4 | */ 5 | 6 | pipeline { 7 | 8 | agent { label 'run-codeql-analysis' } 9 | 10 | environment { 11 | ... 12 | } 13 | 14 | options { 15 | ... 16 | } 17 | 18 | stages { 19 | // Clone repository 20 | stage('Clone Repository') { 21 | git url: 'https://github.com/octo-org/example-repo-2.git' 22 | } 23 | 24 | // OPTIONAL: Download CodeQL CLI Bundle 25 | // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as part of the pipeline, 26 | // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location. 27 | // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases. 28 | stage('Download CodeQL CLI Bundle') { 29 | steps { 30 | sh "wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz -O ../codeql-bundle-linux64.tar.gz" 31 | sh "tar xzvf ../codeql-bundle-linux64.tar.gz -C ../" 32 | sh "rm ../codeql-bundle-linux64.tar.gz" 33 | } 34 | } 35 | 36 | stage('Build and analyze code') { 37 | // Put CodeQL on the PATH 38 | steps { 39 | sh "export PATH=/path/to/cli:$PATH" 40 | // example: sh "export PATH=$(cd ..; pwd)/codeql:$PATH" 41 | } 42 | 43 | // Initialize CodeQL 44 | // Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 45 | // Prior to running any build commands, the generated scripts containing environment variables must be sourced. 46 | // Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 47 | steps { 48 | sh "/path/to/cli/codeql init --source-root= [--language=[,...]] [--github-auth-stdin] [--github-url=] --begin-tracing " 49 | // example: sh "../codeql/codeql init --source-root /checkouts/my-repo --language=java --begin-tracing /codeql-dbs/repo-db" 50 | } 51 | 52 | // Source environment variables 53 | // Set the generated environment variables so they are available for subsequent commands 54 | // Note that we are sourcing the script using '. /path/to/script.sh'. This is DIFFERENT than executing the script using './path/to/script.sh' 55 | // Executing the script would do so in a new shell, and any variables set in that shell would not be available in subsequent calls in our current shell 56 | // By sourcing the script, all variables are set in our current shell, and will be available for later stages 57 | steps { 58 | sh ". /path/to/script.sh" 59 | // example: sh ". /codeql-dbs/repo-db/temp/tracingEnvironment/start-tracing.sh" 60 | } 61 | 62 | // Run build commands 63 | // In this example, we have a simple maven project with a pom.xml in the root of the repository, and a settings file in a subdirectory 64 | // For Code Scanning purposes, we only need to compile the code. As such, we disable executing our test suite. This can be changed according to your needs 65 | steps { 66 | sh "mvn clean install -DskipTests=true -s settings/settings.xml" 67 | } 68 | 69 | // Finalize CodeQL Database 70 | // Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 71 | // This needs to happen before the new database can be queried. 72 | // Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 73 | steps { 74 | sh "/path/to/cli/codeql database finalize [--dbscheme=] [--threads=] [--ram=] [--mode=] ... -- " 75 | // example: sh "../codeql/codeql database finalize /codeql-dbs/repo-db" 76 | } 77 | 78 | // Analyze CodeQL Database 79 | // Analyze a CodeQL database, producing meaningful results in the context of the source code. 80 | // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 81 | // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 82 | // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 83 | steps { 84 | sh "/path/to/cli/codeql database analyze --format= --output= [--threads=] [--ram=] ... -- ..." 85 | // example: sh "../codeql/codeql database analyze /codeql-dbs/repo-db java-security-and-quality.qls --format=sarif-latest --output=./temp/results-java.sarif" 86 | } 87 | } 88 | 89 | // Upload results to GitHub 90 | // Uploads a SARIF file to GitHub code scanning. 91 | // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 92 | // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set. 93 | // This token must have the security\_events scope. 94 | // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 95 | // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 96 | stage('Upload results to GitHub') { 97 | steps { 98 | sh "/path/to/cli/codeql github upload-results --sarif= [--github-auth-stdin] [--github-url=] [--repository=] [--ref=] [--commit=] [--checkout-path=] ..." 99 | // example: sh "../codeql/codeql github upload-results --sarif=./temp/results-java.sarif --github-auth-stdin --github-url=https://github.com/ --repository=octo-org/example-repo-2 --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718" 100 | } 101 | } 102 | 103 | // Other stages go here 104 | 105 | } 106 | 107 | } -------------------------------------------------------------------------------- /Azure Pipelines/README.md: -------------------------------------------------------------------------------- 1 | # CodeQL Analysis Pipeline 2 | 3 | This repository contains sample Azure Pipelines YAML samples that demonstrate different methods of configuring CodeQL static analysis in Azure DevOps pipelines. These files can be used as starting points for setting up code scanning with GitHub Advanced Security. 4 | 5 | There is a also an Azure Pipelines [steps template](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/templates) that can be used to run CodeQL analysis in Azure Pipelines from your Pipelines with no or minimal changes. 6 | 7 | ## Samples 8 | 9 | Those samples can be used as a starting point to create your own pipelines. 10 | 11 | ### Windows 12 | 13 | #### [Azure-Pipelines-template-windows.yml](Azure-Pipelines-template-windows.yml) 14 | 15 | This sample provides a basic configuration for running CodeQL analysis on a Windows build agent. It: 16 | - Downloads the CodeQL CLI Bundle during the pipeline run 17 | - Creates a CodeQL database for JavaScript code 18 | - Performs the analysis using the `javascript-security-and-quality.qls` query suite 19 | - Uploads the results to GitHub Code Scanning 20 | 21 | This template is suitable for simpler codebases where the [autobuilder](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql) can compile the code correctly. 22 | 23 | #### [Azure-Pipelines-template-windows-with-indirect-build-tracing.yml](Azure-Pipelines-template-windows-with-indirect-build-tracing.yml) 24 | 25 | This template demonstrates how to run CodeQL analysis using "sandwich mode" (indirect build tracing) on Windows. It: 26 | - Uses PowerShell Core for all script execution 27 | - Downloads the CodeQL CLI Bundle 28 | - Initializes the CodeQL database before the build 29 | - Captures and applies tracing environment variables 30 | - Builds a C# application using VSBuild (as an example) 31 | - Finalizes the database after the build 32 | - Analyzes and uploads the results to GitHub Code Scanning 33 | 34 | This approach is ideal for complex build processes or when you need precise control over the build steps while maintaining CodeQL tracing. 35 | 36 | ### Linux 37 | 38 | #### [Azure-Pipelines-template-linux.yml](Azure-Pipelines-template-linux.yml) 39 | 40 | This template provides a configuration for running CodeQL analysis on a Linux build agent. It: 41 | - Downloads the CodeQL CLI Bundle 42 | - Creates a CodeQL database for JavaScript code (configurable via variables) 43 | - Uses the autobuilder for compilation 44 | - Performs the analysis with the language-specific security and quality query suite 45 | - Uploads the results to GitHub Code Scanning 46 | 47 | This template is suitable for Linux-based builds where the [autobuilder](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql) can correctly compile the code. 48 | 49 | #### [Azure-Pipelines-template-linux-with-indirect-build-tracing.yml](Azure-Pipelines-template-linux-with-indirect-build-tracing.yml) 50 | 51 | This template demonstrates how to run CodeQL analysis using "sandwich mode" (indirect build tracing) on Linux. It: 52 | - Downloads the CodeQL CLI Bundle 53 | - Initializes the CodeQL database with begin-tracing 54 | - Correctly propagates the tracing environment variables to the pipeline 55 | - Includes an example Maven build step for Java applications 56 | - Finalizes, analyzes and uploads the results to GitHub Code Scanning 57 | 58 | This approach is recommended for complex build processes on Linux or when you need to integrate with existing build steps while maintaining CodeQL tracing. 59 | 60 | ## Azure Pipelines Templates 61 | 62 | The [codeql-steps-template.yml](codeql-steps-template.yml) is a reusable steps template that can be easily included in existing Azure Pipelines. This template: 63 | 64 | - Encapsulates all the CodeQL setup, analysis, and upload steps in a single importable file 65 | - Supports both Windows, Linux and MacOS environments 66 | - Configurable via parameters for language, query suite, packs and build commands 67 | - Handles CodeQL CLI download and setup (if agent doesn't have it already) 68 | - Supports both direct database creation and indirect build tracing ("sandwich mode") this is all abstract via the use of build modes. 69 | - Uploads results to GitHub Code Scanning 70 | - Supports push and pull request scans. 71 | 72 | The template works on Linux, MacOS and Windows. 73 | 74 | To use this template in your existing pipeline, you need to reference (after storing it on a central repository or the code repository for simpler cases). 75 | 76 | ### Examples 77 | 78 | #### Non compiled languages 79 | 80 | For a JavaScript application that doesn't require any explicit build steps, this would allow to easily scan your project from your pipeline (showing only the steps): 81 | 82 | ```yaml 83 | - checkout: self 84 | - template: codeql-steps-template@templates 85 | parameters: 86 | language: javascript 87 | query: security-extended 88 | buildmode: none 89 | token: $(GITHUB_TOKEN) 90 | packs: 91 | - 'githubsecuritylab/codeql-javascript-queries' 92 | - 'githubsecuritylab/hotspots-javascript-queries' 93 | ``` 94 | 95 | This example besides using the `security-extended` query suite, it uses two query packs as well (from [CodeQL Community packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs)). 96 | 97 | #### Compiled Languages 98 | 99 | For compiled languages you can use `autobuild` for the `buildMode` or for compiled languages that can be scanned without being built (eg: Java or .Net). 100 | 101 | If your code can't be scanned in autobuild or build mode none, you can set the `buildMode` to `manual` and define the build steps in the `manualbuildSteps` parameter. 102 | 103 | ```yaml 104 | - checkout: self 105 | - template: templates/codeql-template.yml 106 | parameters: 107 | language: java 108 | query: security-extended 109 | token: $(GITHUB_TOKEN) 110 | buildmode: manual 111 | manualbuildsteps: 112 | - task: JavaToolInstaller@1 113 | inputs: 114 | versionSpec: '8' 115 | jdkArchitectureOption: 'x64' 116 | jdkSourceOption: 'PreInstalled' 117 | displayName: Setup Java 8 118 | 119 | - bash: | 120 | mvn -B package cobertura:cobertura --file pom.xml -DskipITs --batch-mode --quiet 121 | displayName: Build with Maven 122 | ``` 123 | 124 | You can read more about build modes in [CodeQL build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes) 125 | 126 | ## Requirements 127 | 128 | These samples/template have the following requirements: 129 | - A GitHub repository with Advanced Security enabled 130 | - A GitHub personal access token (PAT) stored as a secret variable in the pipeline 131 | - For classic PATs: needs the `security events` scope (in repo) 132 | - For fine-grained PATs: needs read and write access to "Code scanning alerts" 133 | - You can also use a GitHub App for authentication as an alternative to a PAT 134 | 135 | ## Configuration 136 | 137 | Each sample includes comments that indicate where customization is needed. Look for comment markers like: 138 | - `# replace this with your actual triggers` 139 | - `# replace this with your actual build command` 140 | 141 | Additionally, the language can be configured by changing the language parameter in the respective CodeQL commands or by modifying the `language` variable in the samples. 142 | -------------------------------------------------------------------------------- /Azure Pipelines/Azure-Pipelines-template-windows-with-indirect-build-tracing.yml: -------------------------------------------------------------------------------- 1 | # This sample YAML file shows how to configure an Azure Pipeline to analyze a repository using the CodeQL CLI Bundle 2 | # 3 | # It assumes a Windows environment and use indirect build tracing ("sandwich mode") around an existing set of build commands 4 | # 5 | # It requires: 6 | # - PowerShell Core to be on the Pipeline image 7 | # - a GitHub access token to be set in the pipeline Variables as a secret variable 8 | # - Advanced Security to be enabled on the GitHub repository 9 | 10 | # ℹ️ You will need to replace parts of this pipeline with your own triggers, preparatory Tasks and build Task, etc. marked with pointing hands 👉 11 | # You may also wish to edit the query suite/language as appropriate on :164 12 | 13 | # ***** replace this 👇 with your actual triggers; these are just examples ****** 14 | trigger: 15 | branches: 16 | include: 17 | - '*' 18 | paths: 19 | exclude: 20 | - test/* 21 | - doc/* 22 | - lib/* 23 | include: 24 | - src/* 25 | # ***** replace this 👆 with your actual triggers; these are just examples ****** 26 | 27 | # ***** replace this 👇 with your actual resources; these are just examples. This can be defined outside of the pipeline YAML ****** 28 | resources: 29 | repositories: 30 | - repository: templates 31 | type: github 32 | name: octo-org/example-repo-2 33 | endpoint: octo-org 34 | # ***** replace this 👆 with your actual resources; these are just examples. This can be defined outside of the pipeline YAML ****** 35 | 36 | # ***** replace this 👆 with your real stage/job details; this is just an example ****** 37 | stages: 38 | - stage: __default 39 | jobs: 40 | - job: Job 41 | workspace: 42 | clean: all 43 | pool: 44 | vmImage: 'windows-latest' # 👈 replace this with your own required pool, ensuring that PowerShell Core is installed on the image 45 | # ***** replace this 👆 with your real stage/job details; this is just an example ****** 46 | 47 | steps: 48 | - checkout: self 49 | fetchTags: true 50 | 51 | # Preparatory tasks 52 | # These are outside of the CodeQL instrumentation 53 | # ***** replace this 👇 with your actual pre-build tasks ****** 54 | - task: PowerShell@2 55 | displayName: Pre-build task 56 | inputs: 57 | targetType: inline 58 | pwsh: true 59 | script: | 60 | echo "Pre-build task" 61 | # ***** replace this 👆 with your actual pre-build tasks ****** 62 | 63 | # Download CodeQL 64 | - task: PowerShell@2 65 | displayName: Download CodeQL CLI Bundle 66 | inputs: 67 | targetType: inline 68 | pwsh: true 69 | script: | 70 | Invoke-WebRequest https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz -OutFile ../codeql-bundle-win64.tar.gz 71 | tar xzvf ../codeql-bundle-win64.tar.gz -C ../ 72 | del ../codeql-bundle-win64.tar.gz 73 | cd ../ 74 | $sep = [IO.Path]::DirectorySeparatorChar 75 | echo "##vso[task.prependpath]${pwd}${sep}codeql" 76 | 77 | # Initialize CodeQL 78 | # Create a skeleton structure for a CodeQL database that doesn’t have a raw QL dataset yet, but is ready for running extractor steps 79 | # Prior to running any build commands, the generated scripts containing environment variables must be sourced. 80 | # Full documentation for database init step: https://codeql.github.com/docs/codeql-cli/manual/database-init/ 81 | - task: PowerShell@2 82 | displayName: Initialize CodeQL database 83 | inputs: 84 | # Assumes the source code is checked out to the current working directory. 85 | # Creates a database at `/db`. 86 | # Running on Windows, so specifies a trace process level. 87 | # Alternatively, pass the flag --trace-process-mode=azure-pipelines to codeql database init to trace a build command in a pipeline job that runs in a Windows container. It will also do the right thing for a pipeline job on Windows that does not run in a container. 88 | targetType: inline 89 | pwsh: true 90 | script: | 91 | codeql database init --language csharp --trace-process-name Agent.Worker.exe --source-root . --begin-tracing db 92 | 93 | # Source environment variables 94 | # Read the generated environment variables and values, and set them so they are available for subsequent commands in the build pipeline. This is done in PowerShell in this example. 95 | - task: PowerShell@2 96 | displayName: Set CodeQL environment variables 97 | inputs: 98 | targetType: inline 99 | pwsh: true 100 | script: | 101 | $json = Get-Content $(System.DefaultWorkingDirectory)/db/temp/tracingEnvironment/start-tracing.json | ConvertFrom-Json 102 | $json.PSObject.Properties | ForEach-Object { 103 | $template = "##vso[task.setvariable variable=" 104 | $template += $_.Name 105 | $template += "]" 106 | $template += $_.Value 107 | echo "$template" 108 | } 109 | 110 | # Run build commands 111 | # ***** replace this 👇 with your actual build command ****** 112 | # In this example, we have a simple C# application built using VSBuild. 113 | - task: VSBuild@1 114 | displayName: Visual Studio Build 115 | inputs: 116 | solution: '**/*.sln' 117 | # Disable MSBuild shared compilation for C# builds. 118 | msbuildArgs: /p:OutDir=$(Build.ArtifactStagingDirectory) /p:UseSharedCompilation=false 119 | platform: Any CPU 120 | configuration: Release 121 | # Execute a clean build, in order to remove any existing build artifacts prior to the build. 122 | clean: True 123 | # ***** replace this 👆 with your actual build command ****** 124 | 125 | # Read and set the generated environment variables to end build tracing. This is done in PowerShell in this example. 126 | - task: PowerShell@2 127 | displayName: Clear CodeQL environment variables 128 | inputs: 129 | targetType: inline 130 | pwsh: true 131 | script: | 132 | $json = Get-Content $(System.DefaultWorkingDirectory)/db/temp/tracingEnvironment/end-tracing.json | ConvertFrom-Json 133 | $json.PSObject.Properties | ForEach-Object { 134 | $template = "##vso[task.setvariable variable=" 135 | $template += $_.Name 136 | $template += "]" 137 | $template += $_.Value 138 | echo "$template" 139 | } 140 | 141 | # Finalize CodeQL Database 142 | # Finalize a database that was created with codeql database init and subsequently seeded with analysis data using codeql database trace-command. 143 | # This needs to happen before the new database can be queried. 144 | # Full documentation for database finalize step: https://codeql.github.com/docs/codeql-cli/manual/database-finalize/ 145 | - task: PowerShell@2 146 | displayName: Finalize CodeQL database 147 | inputs: 148 | targetType: inline 149 | pwsh: true 150 | script: | 151 | codeql database finalize db 152 | 153 | # Analyze CodeQL Database 154 | # Analyze a CodeQL database, producing meaningful results in the context of the source code. 155 | # Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. 156 | # Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality 157 | # Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/ 158 | - task: PowerShell@2 159 | displayName: Analyze CodeQL Database 160 | inputs: 161 | targetType: inline 162 | pwsh: true 163 | # edit the query suite/language as appropriate 👇 164 | script: | 165 | codeql database analyze db csharp-security-and-quality.qls --format=sarif-latest --output="$(Agent.TempDirectory)"/results-csharp.sarif 166 | 167 | # Upload results to GitHub 168 | # Uploads a SARIF file to GitHub code scanning. 169 | # For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data 170 | # A GitHub Apps token or personal access token must be set, by setting a secret Variable in the Azure DevOps Pipeline, called GITHUB_TOKEN 171 | # This token must have the security_events scope, for classic tokens, or be given read & write "Code scanning alerts" permission for a fine-grained access token 172 | # Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 173 | # Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/ 174 | - task: PowerShell@2 175 | displayName: Upload results to GitHub 176 | env: 177 | GITHUB_TOKEN: $(GITHUB_TOKEN) 178 | inputs: 179 | targetType: inline 180 | pwsh: true 181 | script: | 182 | codeql github upload-results --sarif="$(Agent.TempDirectory)"/results-csharp.sarif --github-url=https://github.com/ --repository="$(Build.Repository.Name)" --ref="$(Build.SourceBranch)" --commit="$(Build.SourceVersion)" 183 | -------------------------------------------------------------------------------- /Azure Pipelines/codeql-steps-template.yml: -------------------------------------------------------------------------------- 1 | # CodeQL Analysis Template for Azure Pipelines 2 | # 3 | # This template runs CodeQL analysis on a GitHub repository within Azure Pipelines. 4 | # It handles downloading the CodeQL bundle (if not installed in tools cache), database creation, analysis, and result upload. 5 | # 6 | # If the agent already has CodeQL bundled in installation tools directory it will use it, otherwise downloads the latest codeql bundle 7 | # and uses it. 8 | # 9 | # REQUIREMENTS: 10 | # - GitHub repository 11 | # - bash and powershell if agent is windows 12 | # - GitHub token (PAT or GitHub App token) with code scanning write permissions 13 | # 14 | # USAGE EXAMPLE: 15 | # ```yaml 16 | # - template: templates/codeql-template.yml 17 | # parameters: 18 | # language: 'javascript' 19 | # query: 'security-extended' 20 | # packs: 21 | # - 'githubsecuritylab/codeql-java-queries' 22 | # buildmode: 'autobuild' 23 | # token: $(githubtoken) 24 | # ``` 25 | 26 | parameters: 27 | # Required parameters 28 | - name: language 29 | type: string 30 | displayName: Programming language to analyze 31 | 32 | - name: token 33 | type: string 34 | displayName: GitHub token for authentication (at least code scanning write permissions) 35 | 36 | # Optional parameters with defaults 37 | - name: query 38 | type: string 39 | displayName: CodeQL query suite to run 40 | default: security-extended 41 | 42 | - name: packs 43 | type: object 44 | displayName: Additional CodeQL packs to run (only supports non-authenticated registries) 45 | default: [] 46 | 47 | - name: buildmode 48 | type: string 49 | displayName: Build mode (autobuild, manual, or none) 50 | default: autobuild 51 | values: 52 | - autobuild 53 | - manual 54 | - none 55 | 56 | - name: manualbuildsteps 57 | type: stepList 58 | displayName: Custom build steps (only used if buildmode=manual) 59 | default: 60 | [] 61 | 62 | # Resource configuration 63 | - name: codeqlThreads 64 | type: number 65 | default: 0 66 | displayName: Threads to use for CodeQL (0=auto) 67 | 68 | - name: codeqlMemory 69 | type: number 70 | default: 5500 71 | displayName: Memory limit for CodeQL in MB 72 | 73 | steps: 74 | # Validation step 75 | - bash: | 76 | # Check if repository is hosted on GitHub 77 | if [ "$(Build.Repository.Provider)" != 'GitHub' ]; then 78 | echo '##[error]This template only supports GitHub repositories' 79 | exit 1 80 | fi 81 | 82 | # Check if GitHub token is provided 83 | if [ -z "${{ parameters.token }}" ]; then 84 | echo '##[error]GitHub token is required for authentication' 85 | exit 1 86 | fi 87 | 88 | if [[ ! "${{ parameters.token }}" =~ ^gh ]]; then 89 | echo '##[warning]The provided token does not start with "gh", so it is probably not a valid GitHub token (this might fail later when the token is used).' 90 | fi 91 | 92 | # Check if language is provided 93 | if [ -z "${{ parameters.language }}" ]; then 94 | echo '##[error]Language parameter is required' 95 | exit 1 96 | fi 97 | 98 | if [ -z "${{ parameters.buildmode }}" ]; then 99 | echo '##[error]Build mode parameter is required' 100 | exit 1 101 | fi 102 | 103 | # Extract GitHub organization/owner name 104 | githubowner=$(echo "$(Build.Repository.Name)" | cut -d'/' -f1) 105 | echo "##vso[task.setvariable variable=githubowner]$githubowner" 106 | 107 | echo "GitHub Owner: $githubowner" 108 | echo "Repository: $(Build.Repository.Name)" 109 | displayName: 'Validate Inputs' 110 | 111 | # Setup CodeQL environment 112 | - bash: | 113 | set -e 114 | echo "Configuration Summary:" 115 | echo "======================" 116 | echo "Language: ${{ parameters.language }}" 117 | echo "Build mode: ${{ parameters.buildmode }}" 118 | echo "Query: ${{ parameters.query }}" 119 | echo "Packs: ${{ join(',', parameters.packs) }}" 120 | echo "Threads: ${{ parameters.codeqlThreads }}" 121 | echo "Memory: ${{ parameters.codeqlMemory }} MB" 122 | echo "======================" 123 | 124 | # Setup CodeQL directories 125 | codeqlDbDir="${AGENT_TEMPDIRECTORY}/ghas.codeql" 126 | sarifDir="${AGENT_TEMPDIRECTORY}/out" 127 | 128 | rm -rf "${codeqlDbDir}" "${sarifDir}" 129 | mkdir -p "${codeqlDbDir}" "${sarifDir}" 130 | 131 | cli_extension="" 132 | case "${AGENT_OS}" in 133 | "Windows_NT") 134 | bundle_name="codeql-bundle-win64.tar.gz" 135 | cli_extension=".exe" 136 | ;; 137 | "Linux") 138 | bundle_name="codeql-bundle-linux64.tar.gz" 139 | ;; 140 | "Darwin") 141 | bundle_name="codeql-bundle-osx64.tar.gz" 142 | ;; 143 | esac 144 | 145 | echo "checking if bundle is on tools folder" 146 | 147 | if [ -d "$(Agent.ToolsDirectory)/CodeQL" ]; then 148 | echo "##[group]Checking tools directory" 149 | codeql_path=$(find "$(Agent.ToolsDirectory)/CodeQL" -name "codeql${cli_extension}" -type f -maxdepth 4 | sort -r | head -n 1) 150 | echo "Found CodeQL binary: ${codeql_path}" 151 | if [ ! -z "$codeql_path" ]; then 152 | cli_path=$(dirname "$codeql_path") 153 | echo "Using cached bundle in ${cli_path}" 154 | else 155 | echo "##vso[task.logissue type=error]CodeQL binary not found in tools cache" 156 | echo "##[endgroup]" 157 | exit 1 158 | fi 159 | echo "##[endgroup]" 160 | else 161 | echo "##[group]Downloading Bundle ${bundle_name}" 162 | 163 | codeql_path="${AGENT_TEMPDIRECTORY}/codeql" 164 | bundle_path="${codeql_path}/${bundle_name}" 165 | 166 | mkdir -p "${codeql_path}" 167 | 168 | echo "Will use ${codeql_path} to store the bundle" 169 | echo "Downloading bundle to ${bundle_path}" 170 | 171 | if ! curl -L -o "${bundle_path}" \ 172 | --retry 2 \ 173 | --max-time 60 \ 174 | --progress-bar \ 175 | "https://github.com/github/codeql-action/releases/latest/download/${bundle_name}"; then 176 | 177 | echo "##vso[task.logissue type=error]Failed to download CodeQL bundle" 178 | echo "##[endgroup]" 179 | exit 1 180 | fi 181 | 182 | cli_path="${codeql_path}/codeql" 183 | 184 | # in windows patches paths to a path that tar can process (it can't handle c:\XXX format) 185 | if [ "${AGENT_OS}" = "Windows_NT" ]; then 186 | # check if cygpath is installed 187 | path_tool=cygpath 188 | if ! command -v "${path_tool}" &> /dev/null; then 189 | # use wslpath instead 190 | path_tool=wslpath 191 | fi 192 | bundle_path=$($path_tool -u "${bundle_path}") 193 | codeql_path=$($path_tool -u "${codeql_path}") 194 | fi 195 | 196 | echo "untaring bundle ${bundle_path}" 197 | if ! tar xzf "${bundle_path}" -C "${codeql_path}" > /dev/null; then 198 | echo "##vso[task.logissue type=error]Failed to extract CodeQL bundle" 199 | echo "##[endgroup]" 200 | exit 1 201 | fi 202 | 203 | echo "removing bundle tar file ${bundle_path}" 204 | rm -f "${bundle_path}" 205 | 206 | echo "##[endgroup]" 207 | fi 208 | 209 | echo "##vso[task.prependpath]$cli_path" 210 | 211 | echo "" 212 | echo "Prepending CLI to Path: ${cli_path}" 213 | echo "Setting CodeQL DB path ${codeqlDbDir}" 214 | echo "Setting SARIF path ${sarifDir}" 215 | 216 | echo "##vso[task.setvariable variable=CODEQLDB_PATH]${codeqlDbDir}" 217 | echo "##vso[task.setvariable variable=SARIF_PATH]${sarifDir}" 218 | displayName: Setup CodeQL Runtime 219 | 220 | 221 | # Verify CodeQL installation 222 | - bash: | 223 | echo "Verifying CodeQL installation..." 224 | if ! codeql --version; then 225 | echo "##vso[task.logissue type=error]Failed to verify CodeQL installation" 226 | exit 1 227 | fi 228 | # Display pack and language info in debug mode 229 | if [ "$SYSTEM_DEBUG" = "true" ]; then 230 | echo "Checking available packs and languages..." 231 | codeql resolve packs 232 | codeql resolve languages 233 | fi 234 | displayName: 'Verify CodeQL Installation' 235 | 236 | # CodeQL Database Creation - non manual mode mode 237 | - ${{ if ne(parameters.buildmode, 'manual') }}: 238 | - bash: | 239 | echo "Creating CodeQL database using ${{ parameters.buildmode }} mode" 240 | echo "Language: ${{ parameters.language }}" 241 | 242 | codeql database create "$(CODEQLDB_PATH)" \ 243 | --language=${{ parameters.language }} \ 244 | --build-mode="${{ parameters.buildmode }}" \ 245 | --no-run-unnecessary-builds \ 246 | --threads=${{ parameters.codeqlThreads }} \ 247 | --ram=${{ parameters.codeqlMemory }} 248 | displayName: 'Create CodeQL Database (${{ parameters.buildmode }})' 249 | 250 | # CodeQL Database Creation - Manual mode for Unix 251 | - ${{ if eq(parameters.buildmode, 'manual') }}: 252 | - bash: | 253 | echo "Initializing CodeQL database for manual tracing" 254 | echo "Language: ${{ parameters.language }}" 255 | 256 | codeql database init "$(CODEQLDB_PATH)" \ 257 | --language="${{ parameters.language }}" \ 258 | --source-root="$(Build.SourcesDirectory)" \ 259 | --trace-process-mode=azure-pipelines \ 260 | --begin-tracing 261 | condition: and(succeeded(), or(eq(variables['Agent.OS'], 'Linux'), eq(variables['Agent.OS'], 'Darwin'))) 262 | displayName: '[Unix] Initialize CodeQL Database' 263 | 264 | - bash: | 265 | # Export tracing environment variables to the pipeline 266 | echo "Starting CodeQL tracing..." 267 | env_before=$(printenv | cut -d '=' -f 1 | sort) 268 | . $(CODEQLDB_PATH)/temp/tracingEnvironment/start-tracing.sh 269 | env_after=$(printenv | cut -d '=' -f 1 | sort) 270 | 271 | # Pass environment variables to Azure Pipelines 272 | comm -13 <(echo "$env_before") <(echo "$env_after") | while read -r env_name; do 273 | echo "##vso[task.setvariable variable=$env_name;]${!env_name}" 274 | done 275 | 276 | echo "CodeQL tracing enabled" 277 | condition: and(succeeded(), or(eq(variables['Agent.OS'], 'Linux'), eq(variables['Agent.OS'], 'Darwin'))) 278 | displayName: '[Unix] Enable CodeQL Tracing' 279 | 280 | # CodeQL Database Creation - Manual mode for Windows 281 | - ${{ if eq(parameters.buildmode, 'manual') }}: 282 | - powershell: | 283 | Write-Host "Initializing CodeQL database for manual tracing" 284 | Write-Host "Language: ${{ parameters.language }}" 285 | 286 | codeql database init "$(CODEQLDB_PATH)" ` 287 | --language="${{ parameters.language }}" ` 288 | --source-root="$(Build.SourcesDirectory)" ` 289 | --trace-process-mode=azure-pipelines ` 290 | --begin-tracing 291 | condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) 292 | displayName: '[Windows] Initialize CodeQL Database' 293 | 294 | - powershell: | 295 | Write-Host "Starting CodeQL tracing..." 296 | $json = (Get-Content $Env:CODEQLDB_PATH/temp/tracingEnvironment/start-tracing.json | ConvertFrom-Json) 297 | $json.PSObject.Properties | ForEach-Object { 298 | Write-Host "##[debug]Setting environment variable: $($_.Name)" 299 | Write-Host "##vso[task.setvariable variable=$($_.Name)]$($_.Value)" 300 | } 301 | 302 | Write-Host "CodeQL tracing enabled" 303 | condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) 304 | displayName: '[Windows] Enable CodeQL Tracing' 305 | 306 | # Execute custom build steps for manual mode 307 | - ${{ if eq(parameters.buildmode, 'manual') }}: 308 | - ${{ each step in parameters.manualbuildsteps }}: 309 | - ${{ step }} 310 | 311 | # Finalize database for manual mode 312 | - ${{ if eq(parameters.buildmode, 'manual') }}: 313 | - bash: | 314 | echo "Finalizing CodeQL database..." 315 | codeql database finalize "$(CODEQLDB_PATH)" 316 | displayName: 'Finalize CodeQL Database' 317 | 318 | # Download additional CodeQL packs 319 | - ${{ if gt(length(parameters.packs), 0) }}: 320 | - ${{ each pack in parameters.packs }}: 321 | - bash: | 322 | echo "Downloading CodeQL pack: ${{ pack }}" 323 | codeql pack download "${{ pack }}" 324 | displayName: 'Download CodeQL Pack: ${{ pack }}' 325 | 326 | # Run CodeQL analysis 327 | - bash: | 328 | echo "Running CodeQL analysis for ${{ parameters.language }}..." 329 | 330 | # Prepare packs parameter if any packs specified 331 | packs_array=(${{ join(' ', parameters.packs) }}) 332 | packs_list="${packs_array[@]}" 333 | 334 | # Run analysis 335 | codeql database analyze "$(CODEQLDB_PATH)" \ 336 | ${{ parameters.language }}-${{ parameters.query }} ${packs_list} \ 337 | --format=sarif-latest \ 338 | --output="$(SARIF_PATH)/${{ parameters.language }}.sarif" \ 339 | --sarif-category="language:${{ parameters.language }}" \ 340 | --threads=${{ parameters.codeqlThreads }} \ 341 | --ram=${{ parameters.codeqlMemory }} \ 342 | --verbosity=progress 343 | 344 | echo "CodeQL analysis complete. Results saved to: $(SARIF_PATH)/${{ parameters.language }}.sarif" 345 | displayName: 'Run CodeQL Analysis' 346 | 347 | # Upload results to GitHub 348 | - bash: | 349 | set -e 350 | echo "Uploading CodeQL results to GitHub..." 351 | echo "$GH_TOKEN" | codeql github upload-results --github-auth-stdin \ 352 | --repository="$(Build.Repository.Name)" \ 353 | --sarif="$(SARIF_PATH)/${{ parameters.language }}.sarif" \ 354 | --commit $(Build.SourceVersion) \ 355 | --ref $(Build.SourceBranch) 356 | 357 | echo "CodeQL results uploaded successfully for $(Build.Repository.Name)" 358 | displayName: 'Upload CodeQL Results' 359 | env: 360 | GH_TOKEN: ${{ parameters.token }} 361 | --------------------------------------------------------------------------------