Code Scanning a GitHub Repository using GitHub Advanced Security within an Azure DevOps Pipeline
In this blog post we demonstrate how to integrate the GitHub Advanced Security code scanning capability into our Azure DevOps Pipelines. We provide code snippets and examples that can guide you or your developers working to integrate Code Scanning into any 3rd Party CI tool.
GitHub Advanced Security now supports the ability to analyze your code for semantic vulnerabilities from within your third-party CI pipelines. Previously, this capability was available exclusively with GitHub Actions. In this post, I will walk you through a simple implementation of GitHub Advanced Security Code Scanning in an Azure DevOps CI pipeline with a node application using the YAML editor. The Code Scanning results will resurface after the scan back in your GitHub repository under the Security tab for your developers to review and remediate.
If your organization does not have GitHub Advanced Security enabled, you will not see “Code scanning alerts” or “Detected secrets”.
Rather than leveraging the native GitHub Actions workflow with the standard “Set Up Workflow” experience we are going to use an Azure DevOps pipeline.
Navigate to your Azure DevOps pipeline to begin integrating CodeQL.
The Azure Pipelines Agent I am using is ephemeral so I install the CodeQl package on each pipeline execution. With a self hosted agent consider pre-installing the package to save time and compute resources.
Integrating GitHub Advanced Security for code scanning
Integration Steps:
- Download the latest CodeQL dependencies on your agent.
- Give CodeQL access to your repository.
- Initialize the CodeQL executable and create a queryable DB.
- Scan your application.
- Upload results to GitHub.
- Review your results.
- Customize your scan further.
Downloading the latest CodeQL dependencies on my agent
Using wget
and targeting the latest Linux release I can download all necessary files to a new codeql
directory. I also change permissions for the downloaded file before I run it.
I added the following script to the bottom of my pipeline:
- script: |
wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux
chmod +x codeql-runner-linux
displayName: 'Get latest CodeQL package. Install on Agent.'
Give the utility access to your repository
Create a Personal Access Token or use GitHub Apps for authentication. I am using a PAT and saving it as a pipeline variable as $GITHUB_PAT.
Initialize the CodeQ Executable and create a CodeQL database for the language detected.
I added the following script to the bottom of my pipeline:
- script: |
./codeql-runner-linux init --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT
displayName: 'Initialize CodeQL Executable and create a CodeQL database'
Now I want to populate the CodeQL runner databases, analyze them, and upload the results to GitHub.
I added the following script to the bottom of my pipeline:
- script: |
./codeql-runner-linux analyze --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT --commit 92065de8b22bbfeda511d12571b66c9969ff593b --ref refs/heads/master
displayName: 'Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.'
My complete pipeline looks like:
# Scan my node app for semantic vulnerabilities with GitHub Code Scanning
# Upload any vulnerabilities back into my GitHub Repo for developer review.
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '10.x'
displayName: 'Install Node.js'
- script: |
npm install
npm test
displayName: 'npm install and test'
- script: |
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-20200826/codeql-runner-linux
chmod +x codeql-runner-linux
displayName: 'Get latest CodeQL package. Install on Agent.'
- script: |
./codeql-runner-linux init --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT
displayName: 'Initialize CodeQ Executable and create a CodeQL database'
- script: |
./codeql-runner-linux analyze --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT --commit 92065de8b22bbfeda511d12571b66c9969ff593b --ref refs/heads/master
displayName: 'Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.'
If successful, you should be able to navigate back to your repository security tab under code scanning to view the results of your scan.
If you would like to expand the number of queries you want to include in your scan, consider adding a config-file
parameter to init
and referencing a custom configuration file in your .github
directory.
This might look like:
- script: |
./codeql-runner-linux init --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT --config-file .github/codeql/codeql-config.yml
displayName: 'Initialize CodeQ Executable and create a CodeQL database'
Congratulations on integrating the GitHub Advanced Security Code Scanning capability into your Azure DevOps pipeline! As you continue to explore your integration story and possibly a migration path consider leveraging native GitHub Actions to define your pipeline.
If you have any questions or comments, reach out to us on Twitter, LinkedIn or contact sales for enterprise support.
Tags:
Written by
Related posts
Students: Start building your skills with the GitHub Foundations certification
The GitHub Foundations Certification exam fee is now waived for all students verified through GitHub Education.
Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone
Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.
Software is a team sport: Building the future of software development together
Microsoft and GitHub are committed to empowering developers around the world to innovate, collaborate, and create solutions that’ll shape the next generation of technology.