title | description | author | ms.author | ms.date | ms.topic |
---|---|---|---|---|---|
Create a security scan GitHub workflow |
In this quickstart, you will learn how to create a CodeQL GitHub workflow to automate the discovery of vulnerabilities in your .NET codebase. |
IEvangelist |
dapine |
02/16/2022 |
quickstart |
In this quickstart, you will learn how to create a CodeQL GitHub workflow to automate the discovery of vulnerabilities in your .NET codebase.
In CodeQL, code is treated as data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code.
[!INCLUDE prerequisites]
[!INCLUDE add-github-workflow]
Create a new file named codeql-analysis.yml, copy and paste the following YML contents into it:
:::code language="yml" source="snippets/dotnet-secure-github-action/codeql-analysis.yml":::
In the preceding workflow composition:
-
The
name: CodeQL
defines the name, "CodeQL" will appear in workflow status badges.:::code language="yml" source="snippets/dotnet-secure-github-action/codeql-analysis.yml" range="1":::
-
The
on
node signifies the events that trigger the workflow::::code language="yml" source="snippets/dotnet-secure-github-action/codeql-analysis.yml" range="3-15":::
- Triggered when a
push
orpull_request
occurs on themain
branch where any files changed ending with the .cs or .csproj file extensions. - As a cron job (on a schedule)—to run at 8:00 UTC every Thursday.
- Triggered when a
-
The
jobs
node builds out the steps for the workflow to take.:::code language="yml" source="snippets/dotnet-secure-github-action/codeql-analysis.yml" range="17-46" highlight="2,10,22-24,27,30":::
- There is a single job, named
analyze
that will run on the latest version of Ubuntu. - The
strategy
defines C# as thelanguage
. - The
github/codeql-action/init@v1
GitHub Action is used to initialize CodeQL. - The
github/codeql-action/autobuild@v1
GitHub Action builds the .NET project. - The
github/codeql-action/analyze@v1
GitHub Action performs the CodeQL analysis.
- There is a single job, named
For more information, see GitHub Actions: Configure code scanning.
[!INCLUDE add-status-badge]
Passing | Failing | No status |
---|---|---|
:::image type="content" source="media/codeql-badge-passing.svg" alt-text="GitHub: CodeQL passing badge"::: | :::image type="content" source="media/codeql-badge-failing.svg" alt-text="GitHub: CodeQL failing badge"::: | :::image type="content" source="media/codeql-badge-no-status.svg" alt-text="GitHub: CodeQL no-status badge"::: |
[!div class="nextstepaction"] Tutorial: Create a GitHub Action with .NET