codeqlExecuteScan¶
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
Description¶
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql and Java plus Maven.
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
codeqlExecuteScan script: this
piper codeqlExecuteScan
Outputs¶
| Output type | Details |
|---|---|
| influx | measurement step_data
codeql_data |
Parameters¶
Overview - Step¶
| Name | Mandatory | Additional information |
|---|---|---|
| script | (yes) |  reference to Jenkins main pipeline script |
| analyzedRef | no | |
| buildCommand | no | |
| buildTool | no | |
| checkForCompliance | no | |
| commitId | no | |
| customCommand | no | |
| database | no | |
| databaseAnalyzeFlags | no | |
| databaseCreateFlags | no | |
| githubToken | no |   pass via ENV, Vault or Jenkins credentials (githubTokenCredentialsId) |
| globalSettingsFile | no | |
| language | no | |
| modulePath | no | |
| paths | no | |
| pathsIgnore | no | |
| projectSettingsFile | no | |
| querySuite | no | |
| ram | no | |
| repository | no | |
| sarifCheckMaxRetries | no | |
| sarifCheckRetryInterval | no | |
| targetGithubBranchName | no | |
| targetGithubRepoURL | no | |
| threads | no | |
| transformQuerySuite | no | |
| uploadResults | no | |
| verbose | no | activates debug output |
| vulnerabilityThresholdTotal | no |
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
| Name | Mandatory | Additional information |
|---|---|---|
| containerCommand | no | |
| containerShell | no | |
| dockerEnvVars | no | |
| dockerImage | no | |
| dockerName | no | |
| dockerOptions | no | |
| dockerPullImage | no | |
| dockerVolumeBind | no | |
| dockerWorkspace | no | |
| stashContent | no | |
Details¶
analyzedRef¶
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_analyzedRef (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: git/ref |
buildCommand¶
Command to build the project
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_buildCommand (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
buildTool¶
Based on the build tool the step will try to auto build the project. The step will try to auto select the language and the build command.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | maven |
| Possible values | - custom- maven- golang- npm- pip- yarn |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
checkForCompliance¶
If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
commitId¶
SHA of commit that was analyzed.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_commitId (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: git/remoteCommitId |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
customCommand¶
A custom user-defined command to run between codeql analysis and results upload.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_customCommand (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
database¶
Path to the CodeQL database to create. This directory will be created, and must not already exist.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | codeqlDB |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
databaseAnalyzeFlags¶
A space-separated string of flags for the 'codeql database analyze' command.
If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_databaseAnalyzeFlags (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
databaseCreateFlags¶
A space-separated string of flags for the 'codeql database create' command.
If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_databaseCreateFlags (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerEnvVars¶
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerImage¶
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | `` |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerName¶
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerOptions¶
Docker options to be set when starting the container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerPullImage¶
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubToken¶
GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the githubTokenCredentialsId parameter.
| Scope | Details |
|---|---|
| Aliases | access_token |
| Type | string |
| Mandatory | no |
| Default | $PIPER_githubToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Jenkins credential id: id: githubTokenCredentialsIdVault resource: name: githubVaultSecretNamedefault value: githubVault paths:
|
globalSettingsFile¶
Path to the mvn settings file that should be used as global settings file.
| Scope | Details |
|---|---|
| Aliases | maven/globalSettingsFile |
| Type | string |
| Mandatory | no |
| Default | $PIPER_globalSettingsFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
language¶
The programming language used to analyze. Use coma separation and select custom build tool to analyze multiple languages
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_language (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
modulePath¶
Allows providing the path for the module to scan
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | ./ |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
paths¶
List of file or directory patterns to include. Each entry must be on its own line, e.g.: src/ lib/ Note: This parameter is only applicable for interpreted languages.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_paths (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pathsIgnore¶
List of file or directory patterns to ignore. Each entry must be on its own line, e.g.: /*.md docs/ Note: This parameter is only applicable for interpreted languages.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_pathsIgnore (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
projectSettingsFile¶
Path to the mvn settings file that should be used as project settings file.
| Scope | Details |
|---|---|
| Aliases | maven/projectSettingsFile |
| Type | string |
| Mandatory | no |
| Default | $PIPER_projectSettingsFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
querySuite¶
The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_querySuite (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
ram¶
Use this much ram (MB) for the codeql operations.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | 4000 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
repository¶
URL of the GitHub instance
| Scope | Details |
|---|---|
| Aliases | githubRepo |
| Type | string |
| Mandatory | no |
| Default | $PIPER_repository (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: git/httpsUrl |
sarifCheckMaxRetries¶
Maximum number of retries when waiting for the server to finish processing the SARIF upload.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 10 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
sarifCheckRetryInterval¶
Interval in seconds between retries when waiting for the server to finish processing the SARIF upload.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 30 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
script¶
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | Jenkins Script |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
stashContent¶
Jenkins-specific: Used for proper environment setup.
Specific stashes that should be considered for the step execution.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | - buildDescriptor- tests |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
targetGithubBranchName¶
Target github branch name. Only relevant, if project uses a combination of Piper and non-GitHub SCM.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_targetGithubBranchName (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
targetGithubRepoURL¶
Target github repo url. Only relevant, if project uses a combination of Piper and non-GitHub SCM.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_targetGithubRepoURL (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
threads¶
Use this many threads for the codeql operations.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | 0 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
transformQuerySuite¶
A transform string that will be applied to the querySuite using the sed command.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_transformQuerySuite (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
uploadResults¶
Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
verbose¶
verbose output
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
vulnerabilityThresholdTotal¶
Threashold for maximum number of allowed vulnerabilities.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 0 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubTokenCredentialsId¶
Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Configuration scope |
|