Skip to content

codeqlExecuteScan

This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.

Description

This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.

The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql and Java plus Maven.

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

library('piper-lib-os')

codeqlExecuteScan script: this

piper codeqlExecuteScan

Outputs

Output type Details
influx measurement step_data
  • codeql
    • measurement codeql_data
    • repositoryUrl
    • repositoryReferenceUrl
    • codeScanningLink
    • querySuite
    • optionalTotal
    • optionalAudited
    • auditAllTotal
    • auditAllAudited

Parameters

Overview - Step

Name Mandatory Additional information
script (yes) Jenkins only reference to Jenkins main pipeline script
analyzedRef no
buildCommand no
buildTool no
checkForCompliance no
commitId no
customCommand no
database no
databaseAnalyzeFlags no
databaseCreateFlags no
githubToken no Vault Secret pass via ENV, Vault or Jenkins credentials (githubTokenCredentialsId)
globalSettingsFile no
language no
modulePath no
projectSettingsFile no
querySuite no
ram no
repository no
sarifCheckMaxRetries no
sarifCheckRetryInterval no
targetGithubBranchName no
targetGithubRepoURL no
threads no
transformQuerySuite no
uploadResults no
verbose no activates debug output
vulnerabilityThresholdTotal no

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name Mandatory Additional information
containerCommand no Jenkins only
containerShell no Jenkins only
dockerEnvVars no
dockerImage no
dockerName no
dockerOptions no
dockerPullImage no
dockerVolumeBind no Jenkins only
dockerWorkspace no Jenkins only
stashContent no Jenkins only

Details

analyzedRef

If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_analyzedRef (if set)
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references commonPipelineEnvironment:
  reference to: git/ref

buildCommand

Command to build the project

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_buildCommand (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildTool

Based on the build tool the step will try to auto build the project. The step will try to auto select the language and the build command.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default maven
Possible values - custom
- maven
- golang
- npm
- pip
- yarn
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

checkForCompliance

If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

commitId

SHA of commit that was analyzed.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_commitId (if set)
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references commonPipelineEnvironment:
  reference to: git/remoteCommitId

containerCommand

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerShell

Jenkins-specific: Used for proper environment setup.

Allows to specify the shell to be executed for container with containerName.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

customCommand

A custom user-defined command to run between codeql analysis and results upload.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_customCommand (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

database

Path to the CodeQL database to create. This directory will be created, and must not already exist.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default codeqlDB
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

databaseAnalyzeFlags

A space-separated string of flags for the 'codeql database analyze' command.

If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_databaseAnalyzeFlags (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

databaseCreateFlags

A space-separated string of flags for the 'codeql database create' command.

If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_databaseCreateFlags (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerEnvVars

Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerImage

Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default ``
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerName

Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerOptions

Docker options to be set when starting the container.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerPullImage

Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerVolumeBind

Jenkins-specific: Used for proper environment setup.

Volumes that should be mounted into the docker container.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerWorkspace

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

githubToken

GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the githubTokenCredentialsId parameter.

back to overview

Scope Details
Aliases access_token
Type string
Mandatory no
Default $PIPER_githubToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: githubTokenCredentialsId

Vault resource:
  name: githubVaultSecretName
  default value: github

Vault paths:
  • $(vaultPath)/github
  • $(vaultBasePath)/$(vaultPipelineName)/github
  • $(vaultBasePath)/GROUP-SECRETS/github

globalSettingsFile

Path to the mvn settings file that should be used as global settings file.

back to overview

Scope Details
Aliases maven/globalSettingsFile
Type string
Mandatory no
Default $PIPER_globalSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

language

The programming language used to analyze. Use coma separation and select custom build tool to analyze multiple languages

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_language (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

modulePath

Allows providing the path for the module to scan

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default ./
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

projectSettingsFile

Path to the mvn settings file that should be used as project settings file.

back to overview

Scope Details
Aliases maven/projectSettingsFile
Type string
Mandatory no
Default $PIPER_projectSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

querySuite

The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_querySuite (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

ram

Use this much ram (MB) for the codeql operations.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default 4000
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

repository

URL of the GitHub instance

back to overview

Scope Details
Aliases githubRepo
Type string
Mandatory no
Default $PIPER_repository (if set)
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references commonPipelineEnvironment:
  reference to: git/httpsUrl

sarifCheckMaxRetries

Maximum number of retries when waiting for the server to finish processing the SARIF upload.

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 10
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

sarifCheckRetryInterval

Interval in seconds between retries when waiting for the server to finish processing the SARIF upload.

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 30
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

script

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

stashContent

Jenkins-specific: Used for proper environment setup.

Specific stashes that should be considered for the step execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - buildDescriptor
- tests
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

targetGithubBranchName

Target github branch name. Only relevant, if project uses a combination of Piper and non-GitHub SCM.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_targetGithubBranchName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

targetGithubRepoURL

Target github repo url. Only relevant, if project uses a combination of Piper and non-GitHub SCM.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_targetGithubRepoURL (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

threads

Use this many threads for the codeql operations.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default 0
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

transformQuerySuite

A transform string that will be applied to the querySuite using the sed command.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_transformQuerySuite (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

uploadResults

Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

vulnerabilityThresholdTotal

Threashold for maximum number of allowed vulnerabilities.

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 0
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

githubTokenCredentialsId

Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages