Code Scanning a GitHub repo using Azure Pipelines

Use Case

See full walkthrough blog post: sam.hope-evans.com/code-scanning-a-github-repo-using-azure-pipelines/

This repo will show how you can host your code in GitHub and use an Azure DevOps (ADO) pipeline to run GitHub Advanced Security CodeQL scans and return the results back to the GitHub interface.

Requirements

GitHub Repo: public or private (needs GitHub Advanced Security enabled)
Azure DevOps project: YML pipeline created
GitHub PaT token: (repo & security events scope) saved as an ADO pipeline variable
Azure Pipelines GitHub app: to allow ADO access to the GitHub repo

Overview

This repo has a simple Node JS App which uses an ADO pipeline run the CodeQL scan.

The ADO pipeline uses the CodeQL API to:

Download the latest CodeQL bundle for the detected OS
Detect the languages of a given repository to determine which ones are supported by CodeQL
Create CodeQL databases, analyze, and upload results back to GitHub for each supported language

GitHub security tab

In GitHub you can now see the security scan results and also the current status of CodeQL.

Credit

Based on this blog post by Kevin Alwell.

The CodeQL runner is now deprecated.

So adapted the Azure pipeline using David Wiggs's CodeQL Anywhere repo.

About

GHAS - Run CodeQL on ADO Pipelines with code in GitHub

azure-devops codeql ghas

MIT License

Languages

Language:EJS 62.2%Language:JavaScript 25.6%Language:CSS 12.1%