Upraviť

Set up code scanning

Code scanning in GitHub Advanced Security for Azure DevOps lets you analyze the code in an Azure DevOps repository to find security vulnerabilities and coding errors. You'll need either GitHub Advanced Security for Azure DevOps or, if you're using the standalone experience, GitHub Code Security for Azure DevOps enabled. Any problems identified by the analysis are raised as an alert. Code scanning uses CodeQL to identify vulnerabilities.

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts. For more specific documentation about CodeQL, see CodeQL documentation.

GitHub Advanced Security for Azure DevOps works with Azure Repos. To use GitHub Advanced Security with GitHub repositories, see GitHub Advanced Security.

Prerequisites

Category Requirements
Permissions - To view a summary of all alerts for a repository: Contributor permissions for the repository.
- To dismiss alerts in Advanced Security: Project administrator permissions.
- To manage permissions in Advanced Security: Member of the Project Collection Administrators group or Advanced Security: manage settings permission set to Allow.

For more information about Advanced Security permissions, see Manage Advanced Security permissions.

Advanced setup for code scanning

CodeQL is a pipeline-based tool, where results are aggregated per repository.

Tip

Code scanning can be a more time-intensive build task, so we recommend that you add the code scanning task to a separate, cloned pipeline of your main production pipeline or create a new pipeline.

Add the tasks in the following order:

  1. Advanced Security Initialize CodeQL (AdvancedSecurity-Codeql-Init@1)
  2. Your custom build steps
  3. Advanced Security Perform CodeQL Analysis (AdvancedSecurity-Codeql-Analyze@1)

Screenshot of code scanning pipeline setup for YAML.

Also, specify which language you're analyzing in the Initialize CodeQL task. You can use a comma separated list to analyze multiple languages at once. The supported languages are csharp, cpp, go, java, javascript, python, ruby, swift. If you're utilizing self-hosted agents, you might also add the enableAutomaticCodeQLInstall: true variable to automatically install the latest CodeQL bits for your agent.

Here's an example starter pipeline:

trigger:
  - main

pool:
  # Additional hosted image options are available: https://dotnet.territoriali.olinfo.it/en-us/azure/devops/pipelines/agents/hosted#software
  vmImage: ubuntu-latest

steps:

  - task: AdvancedSecurity-Codeql-Init@1
    inputs:
      languages: "java"
      # Supported languages: csharp, cpp, go, java, javascript, python, ruby, swift
      # You can customize the initialize task: https://dotnet.territoriali.olinfo.it/en-us/azure/devops/pipelines/tasks/reference/advanced-security-codeql-init-v1?view=azure-pipelines
      # If you're using a self-hosted agent to run CodeQL, use `enableAutomaticCodeQLInstall` to automatically use the latest CodeQL bits on your agent:
      enableAutomaticCodeQLInstall: true

#   Add your custom build steps here
# - Ensure that all code to be scanned is compiled (often using a `clean` command to ensure you're building from a clean state).
# - Disable the use of any build caching mechanisms as this can interfere with CodeQL's ability to capture all the necessary data during the build.
# - Disable the use of any distributed/multithreaded/incremental builds as CodeQL needs to monitor executions of the compiler to construct an accurate representation of the application.
# - For dependency scanning, ensure you have a package restore step for more accurate results.

# If you had a Maven app:
#   - task: Maven@4
#     inputs:
#       mavenPomFile: 'pom.xml'
#       goals: 'clean package'
#       publishJUnitResults: true
#       testResultsFiles: '**/TEST-*.xml'
#       javaHomeOption: 'JDKVersion'
#       jdkVersionOption: '1.17'
#       mavenVersionOption: 'Default'

# Or a general script:
#   - script: |
#       echo "Run, Build Application using script"
#       ./location_of_script_within_repo/buildscript.sh

  - task: AdvancedSecurity-Dependency-Scanning@1 # More details on this task: https://dotnet.territoriali.olinfo.it/en-us/azure/devops/pipelines/tasks/reference/advanced-security-dependency-scanning-v1?view=azure-pipelines

  - task: AdvancedSecurity-Codeql-Analyze@1 # More details on this task: https://dotnet.territoriali.olinfo.it/en-us/azure/devops/pipelines/tasks/reference/advanced-security-codeql-analyze-v1?view=azure-pipelines

Also, specify which language you're analyzing in the Initialize CodeQL task. If the language specified is swift, custom build steps are required.

Tip

  • Use java to analyze code written in Java, Kotlin or both.
  • Use javascript to analyze code written in JavaScript, TypeScript, or both.

If you're running on a self-hosted agent, select the Enable automatic CodeQL detection and installation to automatically use the latest CodeQL bits on your agent if you didn't manually install the latest CodeQL bundle to your agent tool cache.

To generate alerts, run your first scan with a pipeline with the code scanning tasks included.

More configurations for code scanning

Language and query support

GitHub experts, security researchers, and community contributors write and maintain the default CodeQL queries used for code scanning. The queries are regularly updated to improve analysis and reduce any false positive results. The queries are open source, so you can view and contribute to the queries in the github/codeql repository.

CodeQL supports and uses the following language identifiers:

Language Identifier
C/C++ cpp
C# csharp
Go go
Java/Kotlin java
JavaScript/TypeScript javascript
Python python
Ruby ruby
Swift swift

Tip

  • Use cpp to analyze code written in C, C++ or both.
  • Use java to analyze code written in Java, Kotlin or both.
  • Use javascript to analyze code written in JavaScript, TypeScript or both.

For more information, see Supported languages and frameworks.

You can view the specific queries and task details executed by CodeQL in the build log.

Screenshot of code scanning publish results task.

Code scanning build mode customization

Code scanning supports two build modes when setting up a pipeline for scanning:

  • none - the CodeQL database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for cpp, java, and csharp).
  • manual - you define the build steps to use for the codebase in the workflow (supported for all compiled languages).

For more information on the different build modes including a comparison on the benefits of each build mode, see CodeQL code scanning for compiled languages.

Tip

Build mode none is useable with other interpreted languages, for example, JavaScript, Python, Ruby. If build mode none is specified for C# or Java with other compiled languages that don't support build mode none, the pipeline task fails.

The following code shows an example of a valid configuration with multiple languages and none build mode:

trigger: none
 
pool:
  vmImage: windows-latest

steps:
- task: AdvancedSecurity-Codeql-Init@1
  displayName: Initialize CodeQL
  inputs:
# build mode `none` is supported for C# and Java, and JavaScript is an interpreted language
# and build mode `none` has no impact on JavaScript analysis
    languages: 'csharp, java, javascript' 
    buildtype: 'none'

- task: AdvancedSecurity-Codeql-Analyze@1
  displayName: Perform CodeQL Analysis

The following code shows an example of an invalid configuration with multiple languages and none build mode:

trigger: none
 
pool:
  vmImage: windows-latest

steps:
- task: AdvancedSecurity-Codeql-Init@1
  displayName: Initialize CodeQL
  inputs:
# build mode `none` is supported for C# but build mode `none` is NOT supported for Swift
# so this pipeline definition will result in a failed run
    languages: 'csharp, swift'
    buildtype: 'none'

- task: AdvancedSecurity-Codeql-Analyze@1
  displayName: Perform CodeQL Analysis

Code scanning alerts

GitHub Advanced Security for Azure DevOps code scanning alerts include code scanning flags by repository that alert of code-level application vulnerabilities.

To use code scanning, you need to first configure GitHub Advanced Security for Azure DevOps.

The Advanced Security tab under Repos in Azure DevOps is the hub to view your code scanning alerts. Select the Code scanning tab to view scanning alerts. You can filter by branch, state, pipeline, rule type, and severity. At this time, the alerts hub doesn't display alerts for scanning completed on PR branches.

There's no effect to results if pipelines or branches are renamed - it may take up to 24 hours before the new name is displayed.

If you choose to run custom CodeQL queries, there isn't by default a separate filter for alerts generated from different query packs. You can filter by rule, which is distinct for each query.

Screenshot of code scanning alerts for a repository.

If you turn off Advanced Security for your repository, you lose access to the results in the Advanced Security tab and build task. The build task doesn't fail, but any results from builds run with the task while Advanced Security is disabled are hidden and not retained.

Alert details

Select an alert for more details, including remediation guidance. Each alert includes a location, description, example, and severity.

Screenshot of code scanning alert detail.

Section Explanation
Location The Locations section details a specific instance where CodeQL detected a vulnerability. If there are multiple instances of your code violating the same rule, a new alert is generated for each distinct location. The Locations card contains a direct link to the affected code snippet so you can select the snippet to be directed to the Azure DevOps web UI for editing.
Description The description is provided by the CodeQL tool based off of the problem.
Recommendation The recommendation is the suggested fix for a given code scanning alert.
Example The example section shows a simplified example of the identified weakness in your code.
Severity Severity levels can be low, medium, high, or critical. The severity score is based off of the given Common Vulnerability Scoring System (CVSS) score for the identified Common Weakness Enumeration (CWE). Learn more about how severity is scored at this GitHub blog post.

Viewing alerts for a repository

Anyone with contributor permissions for a repository can view a summary of all alerts for a repository in the Advanced Security tab under Repos. Select the Code scanning tab to view all secret scanning alerts.

To display results, code scanning tasks need to run first. Once the first scan finishes, any detected vulnerabilities are displayed in the Advanced Security tab.

By default, the alerts page shows code scanning results for the default branch of the repository.

The status of a given alert reflects the state for the default branch and latest run pipeline, even if the alert exists on other branches and pipelines.

Dismissing code scanning alerts

To dismiss alerts, you need appropriate permissions. By default, only project administrators can dismiss Advanced Security alerts.

To dismiss an alert:

  1. Navigate to the alert you wish to close and select on the alert.
  2. Select the Close alert drop-down.
  3. If not already selected, select either Risk accepted or False positive as the closure reason.
  4. Add an optional comment into the Comment text box.
  5. Select Close to submit and close the alert.
  6. The alert state changes from Open to Closed and your dismissal reason displays.

Screenshot of how to dismiss a code scanning alert.

This action dismisses the alert across all branches. Other branches that contain the same vulnerability will also be dismissed. Any alert previously dismissed can be manually reopened.

Managing code scanning alerts on pull requests

If alerts are created for new code changes in a pull request, the alert is reported as an annotation in the Overview tab's comment section of the pull request and as an alert in the Advanced Security repository tab. There is a new branch picker entry for the pull request branch.

You can review the affected lines of code, see a summary of the finding, and resolve the annotation in the Overview section.

Screenshot of active code pull request annotation.

To dismiss pull request alerts, you must navigate to the alert detail view to close both the alert and resolve the annotation. Otherwise, simply changing the comment status (1) resolves the annotation but doesn't close or fix the underlying alert.

Screenshot of closed code pull request annotation.

To see the entire set of results for your pull request branch, navigate to Repos > Advanced Security and select your pull request branch. Selecting Show more details (2) on the annotation directs you to the alert detail view in the Advanced Security tab.

Tip

Annotations only get created when the affected lines of code are entirely unique to the pull request difference compared to the target branch of the pull request.

  • Last updated on