mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
226 lines
7.9 KiB
YAML
226 lines
7.9 KiB
YAML
metadata:
|
|
name: codeqlExecuteScan
|
|
description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
longDescription: |-
|
|
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
|
|
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
|
|
and Java plus Maven.
|
|
|
|
spec:
|
|
inputs:
|
|
secrets:
|
|
- name: githubTokenCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
|
type: jenkins
|
|
resources:
|
|
- name: commonPipelineEnvironment
|
|
resourceSpec:
|
|
type: piperEnvironment
|
|
- name: buildDescriptor
|
|
type: stash
|
|
- name: tests
|
|
type: stash
|
|
params:
|
|
- name: githubToken
|
|
description: "GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the `githubTokenCredentialsId` parameter."
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
secret: true
|
|
aliases:
|
|
- name: access_token
|
|
resourceRef:
|
|
- name: githubTokenCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: buildTool
|
|
type: string
|
|
description: Defines the build tool which is used for building the project.
|
|
longDescription: |-
|
|
Based on the build tool the step will try to auto build the project. The step will try to auto select
|
|
the language and the build command. You can override the language and the build command by specifiying it seperatly.
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
possibleValues:
|
|
- custom
|
|
- maven
|
|
- golang
|
|
- npm
|
|
- pip
|
|
- yarn
|
|
default: "maven"
|
|
- name: buildCommand
|
|
type: string
|
|
description: "Command to build the project"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: language
|
|
type: string
|
|
description: "The programming language used to analyze."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: modulePath
|
|
type: string
|
|
description: "Allows providing the path for the module to scan"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "./"
|
|
- name: database
|
|
type: string
|
|
description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "codeqlDB"
|
|
- name: querySuite
|
|
type: string
|
|
description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: uploadResults
|
|
type: bool
|
|
description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: sarifCheckMaxRetries
|
|
type: int
|
|
description: "Maximum number of retries when waiting for the server to finish processing the SARIF upload."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 10
|
|
- name: sarifCheckRetryInterval
|
|
type: int
|
|
description: "Interval in seconds between retries when waiting for the server to finish processing the SARIF upload."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 30
|
|
- name: targetGithubRepoURL
|
|
type: string
|
|
descriptoin: "Target github repo url. Only relevant, if project uses a combination of Piper and non-GitHub SCM."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: targetGithubBranchName
|
|
type: string
|
|
descriptoin: "Target github branch name. Only relevant, if project uses a combination of Piper and non-GitHub SCM."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: threads
|
|
type: string
|
|
description: "Use this many threads for the codeql operations."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "0"
|
|
- name: ram
|
|
type: string
|
|
description: "Use this much ram (MB) for the codeql operations."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: analyzedRef
|
|
type: string
|
|
description: "Name of the ref that was analyzed."
|
|
longDescription: |-
|
|
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
|
|
Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/ref
|
|
- name: repository
|
|
aliases:
|
|
- name: githubRepo
|
|
description: "URL of the GitHub instance"
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/httpsUrl
|
|
type: string
|
|
- name: commitId
|
|
description: "SHA of commit that was analyzed."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/remoteCommitId
|
|
type: string
|
|
- name: vulnerabilityThresholdTotal
|
|
description: "Threashold for maximum number of allowed vulnerabilities."
|
|
type: int
|
|
default: 0
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: checkForCompliance
|
|
description: "If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error."
|
|
type: bool
|
|
default: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: projectSettingsFile
|
|
type: string
|
|
description: Path to the mvn settings file that should be used as project settings file.
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
aliases:
|
|
- name: maven/projectSettingsFile
|
|
- name: globalSettingsFile
|
|
type: string
|
|
description: Path to the mvn settings file that should be used as global settings file.
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
aliases:
|
|
- name: maven/globalSettingsFile
|
|
containers:
|
|
- image: ""
|
|
outputs:
|
|
resources:
|
|
- name: reports
|
|
type: reports
|
|
params:
|
|
- filePattern: "**/*.csv"
|
|
type: codeql
|
|
- filePattern: "**/*.sarif"
|
|
type: codeql
|
|
- filePattern: "**/toolrun_codeql_*.json"
|
|
type: codeql
|
|
- filePattern: "**/piper_codeql_report.json"
|
|
type: codeql
|