Code Scanning Results From Azure DevOps Pipelines to GitHub - Blogs
X
29Jul

Code Scanning Results From Azure DevOps Pipelines to GitHub

Overview:

In this blog I will demonstrate how to integrate the GitHub Advance Security Code scanning capability into the Azure DevOps pipelines. I will provide example of the Repository that can guide you or your developer working to integrate code scanning into Azure DevOps . I will walk you through a simple implementation of GitHub Advanced Security Code Scanning in an Azure DevOps CI pipeline with a node application using the YAML editor. The Code Scanning results will be available in your GitHub Repository under the security tab for your developer to review.

Note: If your organization does not have GitHub Advanced Security enabled, you will not see “Code scanning alerts” .

Steps to Do :

  1. Download the latest CodeQL dependencies on your Agent.
  2. Give CodeQL Access to your Repository.
  3. Initialize the CodeQL and create a Database.
  4. Scan your Application.
  5. Upload results to GitHub.
  6. Review the results.

Downloading the latest CodeQL Dependencies for you Agent.

Using Wget and targeting the latest Linux release I can download all necessary files to a new Codeql directory . I also change permission for the downloaded file before I run it . I added following script to the bottom of my pipeline.

- script: |

     wget https://github.com/github/codeql-action/releases/download/codeql-bundle-20200826/codeql-runner-linux

    chmod +x codeql-runner-linux

  displayName: 'Get latest CodeQL package. Install on Agent.'

 

 Give the Access to your Repository

Create a Personal Access Token or use GitHub Apps for authentication. I am using a PAT and saving it as a pipeline variable as $GITHUB_PAT. Initialize the CodeQ Executable and create a CodeQL database for the language detected. I added the following script to the bottom of my pipeline.

- script: |

    ./codeql-runner-linux init \

    --repository CanarysPlayground/ScanGHfromAzDO \

    --github-url https://github.com \

    --github-auth $(GITHUB_PAT) \

    --config-file .github/codeql/codeql-config.yml 

  displayName: 'Initialize CodeQL Executable and create a CodeQL database'

Now I want to populate the CodeQL runner databases, analyze them, and upload the results to GitHub. I added the following script to the bottom of my pipeline

- script: |

    ./codeql-runner-linux analyze \

    --repository CanarysPlayground/ScanGHfromAzDO \

    --github-url https://github.com \

    --github-auth $(GITHUB_PAT) \

    --commit $(BUILD_SOURCEVERSION) \

    --ref $(Build.SourceBranch)

  displayName: 'Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.'

 

If successful, you should be able to navigate back to your repository security tab under code scanning to view the results of your scan.

          afterreults

 

Conclusion:

This blog will help you integrating the GitHub Advanced Security Code Scanning capability into your Azure DevOps pipeline and the Code Scanning results will be available in your GitHub Repository under the security tab for your developer to review.

Related

Bugzilla to TFS Migrator (Part 4 of 4) - Migration

This is the final part of the Bugzilla to TFS Migrator blog series covering the actual steps of migr...

Read More >

Mobile Operating Systems And Cross Platforms

Current Popular mobile operating systems are:Android from Google Inc.(Open source)initial release :2...

Read More >

Capabilities of Dependabot in GitHub with Azure Artifacts

By performing a minor configuration, we can use Dependabot in GitHub with Azure Artifacts.

Read More >

It is Networking Time!!

Canarys participated in the Microsoft Worldwide Partner Conference (10th to 14th July 2011) in Los A...

Read More >

How Microsoft Dynamics CRM workflow definitions are stored in the SQL Database

Microsoft Dynamics CRM, is one of the prominent offerings from the Microsoft Dynamics family of ERP ...

Read More >

SSRS(Sql Server Reporting Services) Reports

What is SSRS reports?SSRS stands for SQL Server Reporting services a server based report generation ...

Read More >

Go for Gold. One More Gold for Canarys!

Canarys participated in the Go for Gold campaign conducted by Microsoft and have now achieved yet an...

Read More >

Building Xamarin.Android application in C#

OverviewIn this article we’ll look at how to create, deploy, and run a Xamarin.Android applica...

Read More >

Connect apps and integrate data with workflows using Azure Logic Apps

Implementing complex business process has been made easy. Logic Apps in azure provide a way to imple...

Read More >

VSTS Rollup Service - Setup

Hi All, if you are worrying how to calculate sum of the effort fields in VSTS, here is the solution....

Read More >

Share

Try DevOpSmartBoard Ultimate complete Azure DevOps End-to end reporting tool

Sign Up

  • Recent
  • Popular
  • Tag
Monthly Archive
Subscribe
Name

Text/HTML
Contact Us
  • *
  • *