Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL: Setting paths in Github Advanced Security for Azure Devops #18372

Open
woeterman94 opened this issue Dec 27, 2024 · 2 comments
Open

CodeQL: Setting paths in Github Advanced Security for Azure Devops #18372

woeterman94 opened this issue Dec 27, 2024 · 2 comments
Labels
question Further information is requested

Comments

@woeterman94
Copy link

woeterman94 commented Dec 27, 2024
edited
Loading

I'm using Github Advanced Security in Azure devops in a monorepo. With the given folder structure:

.
└── apps/
    ├── frontend/
    │   ├── green-app
    │   └── red-app
    └── backend/
        ├── green-app
        └── red-app

By default the codeql task will scan the ENTIRE code base. Which is not what I want.

How can I configure Github advanced security to only scan one project? For example the front-end and backend folder for the green-app.

I tried setting the sources folder to the back-end folder. But then I'm not able to "reach" the front-end folder when I set the codeqlpathstoinclude parameter. When I try this:

  - task: AdvancedSecurity-Codeql-Init@1
    condition: and(succeededOrFailed(), ${{parameters.runGithubAdvancedSecurity}})
    displayName: 'Github Advanced Security: Initialize 🛡'
    inputs:
      languages: 'csharp,javascript'
      sourcesfolder: '$(System.DefaultWorkingDirectory)/apps/backend/green-app'
      codeqlpathstoinclude: '../frontend/green-app'

(Following the docs: "The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.")

I get:

Only found JavaScript or TypeScript files that were empty or contained syntax errors

Wildcards are also giving issues:
apps/*/green-app/**/*

What am I doing wrong here? Any other way i can accomplish this?
@woeterman94 woeterman94 added the question Further information is requested label Dec 27, 2024
@jketema jketema changed the title CodeQL: Setting paths in Github Advanced Security for Devops CodeQL: Setting paths in Github Advanced Security for Azure Devops Dec 27, 2024
@jketema
Copy link
Contributor

jketema commented Dec 27, 2024
edited
Loading

Hi @woeterman94,

I've asked people knowledgeable about the Azure Devops setup to take a look at your question. Note that their response might be somewhat delayed, because many people have holidays around this time of year.

@felickz
Copy link
Contributor

felickz commented Dec 27, 2024
edited
Loading

I would suggest a similar approach:

  • remove sources folder directive, you are accomplishing that with paths include filter
  • use paths include with glob: apps/**/green-app/**
    • Standard glob rules for CodeQL apply: here
  • CSharp paths include/ignore filtering only works if you switch to none for buildtype , testing with your JS should still work though (docs). Otherwise CodeQL CSharp will scan everything that compiles between Init and Analyze steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@felickz @woeterman94 @jketema