metadata: name: codeqlExecuteScan description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. longDescription: |- This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql and Java plus Maven. spec: inputs: secrets: - name: githubTokenCredentialsId description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. type: jenkins resources: - name: commonPipelineEnvironment resourceSpec: type: piperEnvironment - name: buildDescriptor type: stash - name: tests type: stash params: - name: githubToken description: "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" scope: - GENERAL - PARAMETERS - STAGES - STEPS type: string secret: true aliases: - name: access_token resourceRef: - name: githubTokenCredentialsId type: secret - type: vaultSecret default: github name: githubVaultSecretName - name: buildTool type: string description: Defines the build tool which is used for building the project. longDescription: |- Based on the build tool the step will try to auto build the project. The step will try to auto select the language and the build command. You can override the language and the build command by specifiying it seperatly. mandatory: true scope: - GENERAL - PARAMETERS - STAGES - STEPS possibleValues: - custom - maven - golang - npm - pip - yarn default: "maven" - name: buildCommand type: string description: "Command to build the project" scope: - PARAMETERS - STAGES - STEPS - name: language type: string description: "The programming language used to analyze." scope: - PARAMETERS - STAGES - STEPS - name: modulePath type: string description: "Allows providing the path for the module to scan" scope: - PARAMETERS - STAGES - STEPS default: "./" - name: database type: string description: "Path to the CodeQL database to create. This directory will be created, and must not already exist." scope: - PARAMETERS - STAGES - STEPS default: "codeqlDB" - name: querySuite type: string description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used." scope: - PARAMETERS - STAGES - STEPS - name: uploadResults type: bool description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this." scope: - PARAMETERS - STAGES - STEPS default: false - name: analyzedRef type: string description: "Name of the ref that was analyzed." longDescription: |- If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists. resourceRef: - name: commonPipelineEnvironment param: git/ref - name: repository aliases: - name: githubRepo description: "URL of the GitHub instance" resourceRef: - name: commonPipelineEnvironment param: git/httpsUrl type: string - name: commitId description: "SHA of commit that was analyzed." resourceRef: - name: commonPipelineEnvironment param: git/remoteCommitId type: string containers: - image: "" outputs: resources: - name: reports type: reports params: - filePattern: "**/*.csv" type: codeql - filePattern: "**/*.sarif" type: codeql - filePattern: "**/toolrun_codeql_*.json" type: codeql