Code Scanning Results From Azure DevOps Pipelines to GitHub - Blogs
X
29Jul

Code Scanning Results From Azure DevOps Pipelines to GitHub

Overview:

In this blog I will demonstrate how to integrate the GitHub Advance Security Code scanning capability into the Azure DevOps pipelines. I will provide example of the Repository that can guide you or your developer working to integrate code scanning into Azure DevOps . I will walk you through a simple implementation of GitHub Advanced Security Code Scanning in an Azure DevOps CI pipeline with a node application using the YAML editor. The Code Scanning results will be available in your GitHub Repository under the security tab for your developer to review.

Note: If your organization does not have GitHub Advanced Security enabled, you will not see “Code scanning alerts” .

Steps to Do :

  1. Download the latest CodeQL dependencies on your Agent.
  2. Give CodeQL Access to your Repository.
  3. Initialize the CodeQL and create a Database.
  4. Scan your Application.
  5. Upload results to GitHub.
  6. Review the results.

Downloading the latest CodeQL Dependencies for you Agent.

Using Wget and targeting the latest Linux release I can download all necessary files to a new Codeql directory . I also change permission for the downloaded file before I run it . I added following script to the bottom of my pipeline.

- script: |

     wget https://github.com/github/codeql-action/releases/download/codeql-bundle-20200826/codeql-runner-linux

    chmod +x codeql-runner-linux

  displayName: 'Get latest CodeQL package. Install on Agent.'

 

 Give the Access to your Repository

Create a Personal Access Token or use GitHub Apps for authentication. I am using a PAT and saving it as a pipeline variable as $GITHUB_PAT. Initialize the CodeQ Executable and create a CodeQL database for the language detected. I added the following script to the bottom of my pipeline.

- script: |

    ./codeql-runner-linux init \

    --repository CanarysPlayground/ScanGHfromAzDO \

    --github-url https://github.com \

    --github-auth $(GITHUB_PAT) \

    --config-file .github/codeql/codeql-config.yml 

  displayName: 'Initialize CodeQL Executable and create a CodeQL database'

Now I want to populate the CodeQL runner databases, analyze them, and upload the results to GitHub. I added the following script to the bottom of my pipeline

- script: |

    ./codeql-runner-linux analyze \

    --repository CanarysPlayground/ScanGHfromAzDO \

    --github-url https://github.com \

    --github-auth $(GITHUB_PAT) \

    --commit $(BUILD_SOURCEVERSION) \

    --ref $(Build.SourceBranch)

  displayName: 'Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.'

 

If successful, you should be able to navigate back to your repository security tab under code scanning to view the results of your scan.

          afterreults

 

Conclusion:

This blog will help you integrating the GitHub Advanced Security Code Scanning capability into your Azure DevOps pipeline and the Code Scanning results will be available in your GitHub Repository under the security tab for your developer to review.

Related

Animation with Xamarin Forms

In this Article I am going to show you how we can add animation in our Xamarin Forms Application.

Read More >

Performing Sonar Analysis for .NET projects

 Sonar Integration with TFS build for .net projectsThis document provides details about TFS and...

Read More >

Intro to Git and GitHub and Difference

Let us check what is Git and GitHub and how they work. To understand this, let us imagine a scenario...

Read More >

New Tools in NAV 2013 (the less talked about ones) - Part 1

For some time now, I have been thinking about compiling on a list of new features and subtle tools i...

Read More >

DevOpSmartBoard Organization Dashboard Overview

DevOpSmartBoard -The Ultimate End-To-End and One Stop Dashboard solution for all the reporting needs...

Read More >

Azure Consulting Service

We are Microsoft Cloud Solution Providers (CSP) Canarys helps you achieve higher productivity, ...

Read More >

iOS qrcode generator

Have you heard of QR Codes yet? Here is a quick introduction:- QR is short for Quick Response . It i...

Read More >

Webinar -The curious case of native versus the cross platform development of mobile apps

The curious case of native versus the cross platform development of mobile appsBusiness is often cau...

Read More >

Automating .NET builds using CCNET and TFS

CruiseControl.NET (CCNET) is an open source tool used for continuous builds on server, where testing...

Read More >

How to Sync On-premise AD with Windows Azure AD using Azure AD Connect tool

 Azure AD is a service that provides identity and access management capabilities in the cloud. ...

Read More >

Share

Try DevOpSmartBoard Ultimate complete Azure DevOps End-to end reporting tool

Sign Up

  • Recent
  • Popular
  • Tag
Monthly Archive
Subscribe
Name

Text/HTML
Contact Us
  • *
  • *