1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/resources/metadata/codeqlExecuteScan.yaml
2022-07-20 10:07:57 +02:00

134 lines
4.6 KiB
YAML

metadata:
name: codeqlExecuteScan
description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
longDescription: |-
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
and Java plus Maven.
spec:
inputs:
secrets:
- name: githubTokenCredentialsId
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
type: jenkins
params:
- name: githubToken
description: "GitHub personal access token as per
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
secret: true
aliases:
- name: access_token
resourceRef:
- name: githubTokenCredentialsId
type: secret
- type: vaultSecret
default: github
name: githubVaultSecretName
- name: buildTool
type: string
description: Defines the build tool which is used for building the project.
longDescription: |-
Based on the build tool the step will try to auto build the project. The step will try to auto select
the language and the build command. You can override the language and the build command by specifiying it seperatly.
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
possibleValues:
- custom
- maven
- golang
- npm
- pip
- yarn
default: "maven"
- name: buildCommand
type: string
description: "Command to build the project"
scope:
- PARAMETERS
- STAGES
- STEPS
- name: language
type: string
description: "The programming language used to analyze."
scope:
- PARAMETERS
- STAGES
- STEPS
- name: modulePath
type: string
description: "Allows providing the path for the module to scan"
scope:
- PARAMETERS
- STAGES
- STEPS
default: "./"
- name: database
type: string
description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."
scope:
- PARAMETERS
- STAGES
- STEPS
default: "codeqlDB"
- name: querySuite
type: string
description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
scope:
- PARAMETERS
- STAGES
- STEPS
- name: uploadResults
type: bool
description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: analyzedRef
type: string
description: "Name of the ref that was analyzed."
longDescription: |-
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
resourceRef:
- name: commonPipelineEnvironment
param: git/ref
- name: repository
aliases:
- name: githubRepo
description: "URL of the GitHub instance"
resourceRef:
- name: commonPipelineEnvironment
param: git/httpsUrl
type: string
- name: commitId
description: "SHA of commit that was analyzed."
resourceRef:
- name: commonPipelineEnvironment
param: git/remoteCommitId
type: string
containers:
- image: ""
outputs:
resources:
- name: reports
type: reports
params:
- filePattern: "**/*.csv"
type: codeql
- filePattern: "**/*.sarif"
type: codeql