See full walkthrough blog post: sam.hope-evans.com/code-scanning-a-github-repo-using-azure-pipelines/
This repo will show how you can host your code in GitHub and use an Azure DevOps (ADO) pipeline to run GitHub Advanced Security CodeQL scans and return the results back to the GitHub interface.
- GitHub Repo: public or private (needs GitHub Advanced Security enabled)
- Azure DevOps project: YML pipeline created
- GitHub PaT token: (repo & security events scope) saved as an ADO pipeline variable
- Azure Pipelines GitHub app: to allow ADO access to the GitHub repo
This repo has a simple Node JS App which uses an ADO pipeline run the CodeQL scan.
The ADO pipeline uses the CodeQL API to:
- Download the latest CodeQL bundle for the detected OS
- Detect the languages of a given repository to determine which ones are supported by CodeQL
- Create CodeQL databases, analyze, and upload results back to GitHub for each supported language
In GitHub you can now see the security scan results and also the current status of CodeQL.
Based on this blog post by Kevin Alwell.
The CodeQL runner is now deprecated.
So adapted the Azure pipeline using David Wiggs's CodeQL Anywhere repo.