Skip to content

Latest commit

 

History

History
250 lines (194 loc) · 10.7 KB

advanced-security-codeql-init-v1.md

File metadata and controls

250 lines (194 loc) · 10.7 KB
Raw
title description ms.date monikerRange
AdvancedSecurity-Codeql-Init@1 - Advanced Security Initialize CodeQL v1 task
Initializes the CodeQL database in preparation for building.
06/11/2024
=azure-pipelines

AdvancedSecurity-Codeql-Init@1 - Advanced Security Initialize CodeQL v1 task

:::moniker range="=azure-pipelines"

Initializes the CodeQL database in preparation for building.

You must have GitHub Advanced Security for Azure DevOps enabled for the repository being scanned.

:::moniker-end

Syntax

:::moniker range="=azure-pipelines"

# Advanced Security Initialize CodeQL v1
# Initializes the CodeQL database in preparation for building.
- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    #languages: # 'csharp' | 'cpp' | 'go' | 'java' | 'javascript' | 'python' | 'ruby' | 'swift'. Languages to analyze. 
    #querysuite: 'Select a query suite...' # 'Select a query suite...' | 'code-scanning' | 'security-extended' | 'security-experimental' | 'security-and-quality'. CodeQL Query Suite to use for analysis. Default: Select a query suite....
  # Advanced
    #ram: # string. Options to control RAM usage in MB. 
    #threads: # string. Use this many threads to evaluate queries. 
    #codeqlpathstoignore: # string. Set a list of paths to exclude in the CodeQL analysis. 
    #codeqlpathstoinclude: # string. Set a list of additional paths to include in the CodeQL analysis. 
    #sourcesfolder: # string. Sets the folder that contains the sources to be analyzed. 
    #loglevel: '_' # '0' | '1' | '2' | '_'. Set the log level for the CodeQL analysis. Default: _.
    #configfilepath: # string. Use this to enable custom query analysis in codeql (path must be absolute). 
    #codeqltoolsdirectory: # string. Set a custom CodeQL tools directory (path must be absolute).

:::moniker-end

Inputs

:::moniker range="=azure-pipelines"

languages - Languages to analyze
string. Allowed values: csharp, cpp, go, java, javascript, python, ruby, swift.

The programming language to analyze. Multiple languages can be separated by a comma.

You can set the language here in the task, or you can specify the language in a pipeline variable named advancedsecurity.codeql.language. If both are set, the value specified in the task takes precedence.


:::moniker-end

:::moniker range="=azure-pipelines"

querysuite - CodeQL Query Suite to use for analysis.
string. Allowed values: Select a query suite..., code-scanning, security-extended, security-experimental, security-and-quality. Default value: Select a query suite....

The query suite, i.e. ruleset, used for analysis. You can specify the value here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.querysuite. If both are set, the value specified in the task takes precedence. The default value is Select a query suite... which indicates that the query suite must be specified in the advancedsecurity.codeql.querysuite variable.


:::moniker-end

:::moniker range="=azure-pipelines"

ram - Options to control RAM usage in MB
string.

Set total amount of RAM the query evaluator should be allowed to use.

You can specify ram here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.ram. If both are set, the value specified in the task takes precedence.


:::moniker-end

:::moniker range="=azure-pipelines"

threads - Use this many threads to evaluate queries
string.

You can pass 0 to use one thread per core on the machine, or -N to leave N cores unused (except still use at least one thread).

You can specify threads here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.threads. If both are set, the value specified in the task takes precedence.


:::moniker-end

:::moniker range="=azure-pipelines"

codeqlpathstoignore - Set a list of paths to exclude in the CodeQL analysis
string.

You can provide multiple paths separated by commas. The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to ignore the $(Build.SourcesDirectory)/donotscan directory, set codeqlpathstoignore: donotscan rather than codeqlpathstoignore: $(Build.SourcesDirectory)/donotscan.

Important

The codeqlpathstoignore setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).


:::moniker-end

:::moniker range="=azure-pipelines"

codeqlpathstoinclude - Set a list of additional paths to include in the CodeQL analysis
string.

You can provide multiple paths separated by commas. The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.

Important

The codeqlpathstoinclude setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).


:::moniker-end

:::moniker range="=azure-pipelines"

sourcesfolder - Sets the folder that contains the sources to be analyzed
string.

If you don't provide this value, the default sources folder for the pipeline infrastructure is used (provided by the Build.SourcesDirectory variable).


:::moniker-end

:::moniker range="=azure-pipelines"

loglevel - Set the log level for the CodeQL analysis
string. Allowed values: 0 (Warning), 1 (Verbose), 2 (Debug), _ (Default (Warning)). Default value: _.

Specify the level of logging.

You can specify loglevel here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.loglevel. If both are set, the value specified in the task takes precedence, unless the default value _ for loglevel in the task is specified. If _ is specified, the value from advancedsecurity.codeql.loglevel is used if available.


:::moniker-end

:::moniker range="=azure-pipelines"

configfilepath - Use this to enable custom query analysis in codeql (path must be absolute).
string.

If path is not provided, then codeql analysis will proceed with default queries.


:::moniker-end

:::moniker range="=azure-pipelines"

codeqltoolsdirectory - Set a custom CodeQL tools directory (path must be absolute)
string.

If the path is not provided, the default value of $agent_toolsdirectory will be utilized.


:::moniker-end

Task control options

All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.

Output variables

:::moniker range="=azure-pipelines"

None.

:::moniker-end

Remarks

You must have GitHub Advanced Security for Azure DevOps enabled for the repository being scanned.

Important

This task is supported with Azure Repos Git repositories only.

The pipeline must call the tasks in the following order.

  1. Initialize CodeQL
  2. AutoBuild (or your custom build tasks)
  3. Perform CodeQL analysis

The AutoBuild task is optional and may be replaced with your custom build tasks. Either AutoBuild or your custom build tasks must be run for your project to be analyzed.

Requirements

:::moniker range="=azure-pipelines"

Requirement Description
Pipeline types YAML, Classic build, Classic release
Runs on Agent, DeploymentGroup
Demands None
Capabilities This task does not satisfy any demands for subsequent tasks in the job.
Command restrictions Any
Settable variables Any
Agent version All supported agent versions.
Task category Build

:::moniker-end

See also