codeqlExecuteScan¶
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
Description¶
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql and Java plus Maven.
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
codeqlExecuteScan script: this
piper codeqlExecuteScan
Outputs¶
Output type | Details |
---|---|
influx | measurement step_data
codeql_data |
Parameters¶
Overview - Step¶
Name | Mandatory | Additional information |
---|---|---|
script | (yes) | reference to Jenkins main pipeline script |
analyzedRef | no | |
buildCommand | no | |
buildTool | no | |
checkForCompliance | no | |
commitId | no | |
customCommand | no | |
database | no | |
databaseAnalyzeFlags | no | |
databaseCreateFlags | no | |
githubToken | no | pass via ENV, Vault or Jenkins credentials (githubTokenCredentialsId ) |
globalSettingsFile | no | |
language | no | |
modulePath | no | |
projectSettingsFile | no | |
querySuite | no | |
ram | no | |
repository | no | |
sarifCheckMaxRetries | no | |
sarifCheckRetryInterval | no | |
targetGithubBranchName | no | |
targetGithubRepoURL | no | |
threads | no | |
transformQuerySuite | no | |
uploadResults | no | |
verbose | no | activates debug output |
vulnerabilityThresholdTotal | no |
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
Name | Mandatory | Additional information |
---|---|---|
containerCommand | no | |
containerShell | no | |
dockerEnvVars | no | |
dockerImage | no | |
dockerName | no | |
dockerOptions | no | |
dockerPullImage | no | |
dockerVolumeBind | no | |
dockerWorkspace | no | |
stashContent | no |
Details¶
analyzedRef¶
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_analyzedRef (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: git/ref |
buildCommand¶
Command to build the project
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_buildCommand (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
buildTool¶
Based on the build tool the step will try to auto build the project. The step will try to auto select the language and the build command. You can override the language and the build command by specifiying it seperatly.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | maven |
Possible values | - custom - maven - golang - npm - pip - yarn |
Secret | no |
Configuration scope |
|
Resource references | none |
checkForCompliance¶
If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
commitId¶
SHA of commit that was analyzed.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_commitId (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: git/remoteCommitId |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
customCommand¶
A custom user-defined command to run between codeql analysis and results upload.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_customCommand (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
database¶
Path to the CodeQL database to create. This directory will be created, and must not already exist.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | codeqlDB |
Secret | no |
Configuration scope |
|
Resource references | none |
databaseAnalyzeFlags¶
A space-separated string of flags for the 'codeql database analyze' command.
If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_databaseAnalyzeFlags (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
databaseCreateFlags¶
A space-separated string of flags for the 'codeql database create' command.
If both long and short forms of the same flag are provided, the long form takes precedence. Example input: "--threads=1 --ram=2000"
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_databaseCreateFlags (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerEnvVars¶
Jenkins-specific: Used for proper environment setup.
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerImage¶
Jenkins-specific: Used for proper environment setup.
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | `` |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerName¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerOptions¶
Jenkins-specific: Used for proper environment setup.
Docker options to be set when starting the container.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | true |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
githubToken¶
GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the githubTokenCredentialsId
parameter.
Scope | Details |
---|---|
Aliases | access_token |
Type | string |
Mandatory | no |
Default | $PIPER_githubToken (if set) |
Secret | yes |
Configuration scope |
|
Resource references | Jenkins credential id: id: githubTokenCredentialsId Vault resource: name: githubVaultSecretName default value: github Vault paths:
|
globalSettingsFile¶
Path to the mvn settings file that should be used as global settings file.
Scope | Details |
---|---|
Aliases | maven/globalSettingsFile |
Type | string |
Mandatory | no |
Default | $PIPER_globalSettingsFile (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
language¶
The programming language used to analyze.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_language (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
modulePath¶
Allows providing the path for the module to scan
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | ./ |
Secret | no |
Configuration scope |
|
Resource references | none |
projectSettingsFile¶
Path to the mvn settings file that should be used as project settings file.
Scope | Details |
---|---|
Aliases | maven/projectSettingsFile |
Type | string |
Mandatory | no |
Default | $PIPER_projectSettingsFile (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
querySuite¶
The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_querySuite (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
ram¶
Use this much ram (MB) for the codeql operations.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | 4000 |
Secret | no |
Configuration scope |
|
Resource references | none |
repository¶
URL of the GitHub instance
Scope | Details |
---|---|
Aliases | githubRepo |
Type | string |
Mandatory | no |
Default | $PIPER_repository (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: git/httpsUrl |
sarifCheckMaxRetries¶
Maximum number of retries when waiting for the server to finish processing the SARIF upload.
Scope | Details |
---|---|
Aliases | - |
Type | int |
Mandatory | no |
Default | 10 |
Secret | no |
Configuration scope |
|
Resource references | none |
sarifCheckRetryInterval¶
Interval in seconds between retries when waiting for the server to finish processing the SARIF upload.
Scope | Details |
---|---|
Aliases | - |
Type | int |
Mandatory | no |
Default | 30 |
Secret | no |
Configuration scope |
|
Resource references | none |
script¶
Jenkins-specific: Used for proper environment setup.
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this
parameter, as in script: this
. This allows the function to access the commonPipelineEnvironment
for retrieving, e.g. configuration parameters.
Scope | Details |
---|---|
Aliases | - |
Type | Jenkins Script |
Mandatory | yes |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
stashContent¶
Jenkins-specific: Used for proper environment setup.
Specific stashes that should be considered for the step execution.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | - buildDescriptor - tests |
Secret | no |
Configuration scope |
|
Resource references | none |
targetGithubBranchName¶
Target github branch name. Only relevant, if project uses a combination of Piper and non-GitHub SCM.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_targetGithubBranchName (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
targetGithubRepoURL¶
Target github repo url. Only relevant, if project uses a combination of Piper and non-GitHub SCM.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_targetGithubRepoURL (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
threads¶
Use this many threads for the codeql operations.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | 0 |
Secret | no |
Configuration scope |
|
Resource references | none |
transformQuerySuite¶
A transform string that will be applied to the querySuite using the sed command.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_transformQuerySuite (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
uploadResults¶
Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
verbose¶
verbose output
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
vulnerabilityThresholdTotal¶
Threashold for maximum number of allowed vulnerabilities.
Scope | Details |
---|---|
Aliases | - |
Type | int |
Mandatory | no |
Default | 0 |
Secret | no |
Configuration scope |
|
Resource references | none |
githubTokenCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Configuration scope |
|