mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
126 lines
4.3 KiB
YAML
126 lines
4.3 KiB
YAML
|
metadata:
|
||
|
name: codeqlExecuteScan
|
||
|
description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
||
|
longDescription: |-
|
||
|
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
||
|
|
||
|
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
|
||
|
and Java plus Maven.
|
||
|
|
||
|
spec:
|
||
|
inputs:
|
||
|
secrets:
|
||
|
- name: githubTokenCredentialsId
|
||
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
||
|
type: jenkins
|
||
|
params:
|
||
|
- name: githubToken
|
||
|
description: "GitHub personal access token as per
|
||
|
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
type: string
|
||
|
secret: true
|
||
|
aliases:
|
||
|
- name: access_token
|
||
|
resourceRef:
|
||
|
- name: githubTokenCredentialsId
|
||
|
type: secret
|
||
|
- type: vaultSecret
|
||
|
default: github
|
||
|
name: githubVaultSecretName
|
||
|
- name: buildTool
|
||
|
type: string
|
||
|
description: Defines the build tool which is used for building the project.
|
||
|
longDescription: |-
|
||
|
Based on the build tool the step will try to auto build the project. The step will try to auto select
|
||
|
the language and the build command. You can override the language and the build command by specifiying it seperatly.
|
||
|
mandatory: true
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
possibleValues:
|
||
|
- custom
|
||
|
- maven
|
||
|
- golang
|
||
|
- npm
|
||
|
- pip
|
||
|
- yarn
|
||
|
default: "maven"
|
||
|
- name: buildCommand
|
||
|
type: string
|
||
|
description: "Command to build the project"
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
- name: language
|
||
|
type: string
|
||
|
description: "The programming language used to analyze."
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
- name: modulePath
|
||
|
type: string
|
||
|
description: "Allows providing the path for the module to scan"
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: "./"
|
||
|
- name: querySuite
|
||
|
type: string
|
||
|
description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
- name: uploadResults
|
||
|
type: bool
|
||
|
description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: false
|
||
|
- name: analyzedRef
|
||
|
type: string
|
||
|
description: "Name of the ref that was analyzed."
|
||
|
longDescription: |-
|
||
|
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
|
||
|
Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
|
||
|
resourceRef:
|
||
|
- name: commonPipelineEnvironment
|
||
|
param: git/ref
|
||
|
- name: repository
|
||
|
aliases:
|
||
|
- name: githubRepo
|
||
|
description: "URL of the GitHub instance"
|
||
|
resourceRef:
|
||
|
- name: commonPipelineEnvironment
|
||
|
param: git/httpsUrl
|
||
|
type: string
|
||
|
- name: commitId
|
||
|
description: "SHA of commit that was analyzed."
|
||
|
resourceRef:
|
||
|
- name: commonPipelineEnvironment
|
||
|
param: git/commitId
|
||
|
type: string
|
||
|
containers:
|
||
|
- image: ""
|
||
|
outputs:
|
||
|
resources:
|
||
|
- name: reports
|
||
|
type: reports
|
||
|
params:
|
||
|
- filePattern: "**/*.csv"
|
||
|
type: codeql
|
||
|
- filePattern: "**/*.sarif"
|
||
|
type: codeql
|