github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/codeqlExecuteScan.yaml (about) 1 metadata: 2 name: codeqlExecuteScan 3 description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. 4 longDescription: |- 5 This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. 6 7 The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql 8 and Java plus Maven. 9 10 spec: 11 inputs: 12 secrets: 13 - name: githubTokenCredentialsId 14 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 15 type: jenkins 16 resources: 17 - name: commonPipelineEnvironment 18 resourceSpec: 19 type: piperEnvironment 20 - name: buildDescriptor 21 type: stash 22 - name: tests 23 type: stash 24 params: 25 - name: githubToken 26 description: "GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the `githubTokenCredentialsId` parameter." 27 scope: 28 - GENERAL 29 - PARAMETERS 30 - STAGES 31 - STEPS 32 type: string 33 secret: true 34 aliases: 35 - name: access_token 36 resourceRef: 37 - name: githubTokenCredentialsId 38 type: secret 39 - type: vaultSecret 40 default: github 41 name: githubVaultSecretName 42 - name: buildTool 43 type: string 44 description: Defines the build tool which is used for building the project. 45 longDescription: |- 46 Based on the build tool the step will try to auto build the project. The step will try to auto select 47 the language and the build command. You can override the language and the build command by specifiying it seperatly. 48 mandatory: true 49 scope: 50 - GENERAL 51 - PARAMETERS 52 - STAGES 53 - STEPS 54 possibleValues: 55 - custom 56 - maven 57 - golang 58 - npm 59 - pip 60 - yarn 61 default: "maven" 62 - name: buildCommand 63 type: string 64 description: "Command to build the project" 65 scope: 66 - PARAMETERS 67 - STAGES 68 - STEPS 69 - name: language 70 type: string 71 description: "The programming language used to analyze." 72 scope: 73 - PARAMETERS 74 - STAGES 75 - STEPS 76 - name: modulePath 77 type: string 78 description: "Allows providing the path for the module to scan" 79 scope: 80 - PARAMETERS 81 - STAGES 82 - STEPS 83 default: "./" 84 - name: database 85 type: string 86 description: "Path to the CodeQL database to create. This directory will be created, and must not already exist." 87 scope: 88 - PARAMETERS 89 - STAGES 90 - STEPS 91 default: "codeqlDB" 92 - name: querySuite 93 type: string 94 description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used." 95 scope: 96 - PARAMETERS 97 - STAGES 98 - STEPS 99 - name: uploadResults 100 type: bool 101 description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this." 102 scope: 103 - PARAMETERS 104 - STAGES 105 - STEPS 106 default: false 107 - name: sarifCheckMaxRetries 108 type: int 109 description: "Maximum number of retries when waiting for the server to finish processing the SARIF upload." 110 scope: 111 - PARAMETERS 112 - STAGES 113 - STEPS 114 default: 10 115 - name: sarifCheckRetryInterval 116 type: int 117 description: "Interval in seconds between retries when waiting for the server to finish processing the SARIF upload." 118 scope: 119 - PARAMETERS 120 - STAGES 121 - STEPS 122 default: 30 123 - name: targetGithubRepoURL 124 type: string 125 descriptoin: "Target github repo url. Only relevant, if project uses a combination of Piper and non-GitHub SCM." 126 scope: 127 - PARAMETERS 128 - STAGES 129 - STEPS 130 - name: targetGithubBranchName 131 type: string 132 descriptoin: "Target github branch name. Only relevant, if project uses a combination of Piper and non-GitHub SCM." 133 scope: 134 - PARAMETERS 135 - STAGES 136 - STEPS 137 - name: threads 138 type: string 139 description: "Use this many threads for the codeql operations." 140 scope: 141 - PARAMETERS 142 - STAGES 143 - STEPS 144 default: "0" 145 - name: ram 146 type: string 147 description: "Use this much ram (MB) for the codeql operations." 148 scope: 149 - PARAMETERS 150 - STAGES 151 - STEPS 152 - name: analyzedRef 153 type: string 154 description: "Name of the ref that was analyzed." 155 longDescription: |- 156 If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). 157 Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists. 158 resourceRef: 159 - name: commonPipelineEnvironment 160 param: git/ref 161 - name: repository 162 aliases: 163 - name: githubRepo 164 description: "URL of the GitHub instance" 165 resourceRef: 166 - name: commonPipelineEnvironment 167 param: git/httpsUrl 168 type: string 169 - name: commitId 170 description: "SHA of commit that was analyzed." 171 resourceRef: 172 - name: commonPipelineEnvironment 173 param: git/remoteCommitId 174 type: string 175 - name: vulnerabilityThresholdTotal 176 description: "Threashold for maximum number of allowed vulnerabilities." 177 type: int 178 default: 0 179 scope: 180 - PARAMETERS 181 - STAGES 182 - STEPS 183 - name: checkForCompliance 184 description: "If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error." 185 type: bool 186 default: false 187 scope: 188 - PARAMETERS 189 - STAGES 190 - STEPS 191 containers: 192 - image: "" 193 outputs: 194 resources: 195 - name: reports 196 type: reports 197 params: 198 - filePattern: "**/*.csv" 199 type: codeql 200 - filePattern: "**/*.sarif" 201 type: codeql 202 - filePattern: "**/toolrun_codeql_*.json" 203 type: codeql 204 - filePattern: "**/piper_codeql_report.json" 205 type: codeql