sap-jenkins-library/resources/metadata/codeqlExecuteScan.yaml

metadata:
  name: codeqlExecuteScan
  description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
  longDescription: |-
    This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.

    The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
    and Java plus Maven.    

spec:
  inputs:
    secrets:
      - name: githubTokenCredentialsId
        description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
        type: jenkins
    resources:
      - name: commonPipelineEnvironment
        resourceSpec:
          type: piperEnvironment
      - name: buildDescriptor
        type: stash
      - name: tests
        type: stash
    params:
      - name: githubToken
        description: "GitHub personal access token as per
          https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        secret: true
        aliases:
          - name: access_token
        resourceRef:
          - name: githubTokenCredentialsId
            type: secret
          - type: vaultSecret
            default: github
            name: githubVaultSecretName
      - name: buildTool
        type: string
        description: Defines the build tool which is used for building the project.
        longDescription: |-
          Based on the build tool the step will try to auto build the project. The step will try to auto select
          the language and the build command. You can override the language and the build command by specifiying it seperatly.          
        mandatory: true
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        possibleValues:
          - custom
          - maven
          - golang
          - npm
          - pip
          - yarn
        default: "maven"
      - name: buildCommand
        type: string
        description: "Command to build the project"
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: language
        type: string
        description: "The programming language used to analyze."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: modulePath
        type: string
        description: "Allows providing the path for the module to scan"
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: "./"
      - name: database
        type: string
        description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: "codeqlDB"
      - name: querySuite
        type: string
        description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: uploadResults
        type: bool
        description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: false
      - name: threads
        type: string
        description: "Use this many threads for the codeql operations."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: "0"
      - name: ram
        type: string
        description: "Use this much ram (MB) for the codeql operations."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: analyzedRef
        type: string
        description: "Name of the ref that was analyzed."
        longDescription: |-
          If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
          Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.          
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/ref
      - name: repository
        aliases:
          - name: githubRepo
        description: "URL of the GitHub instance"
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/httpsUrl
        type: string
      - name: commitId
        description: "SHA of commit that was analyzed."
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/remoteCommitId
        type: string
  containers:
    - image: ""
  outputs:
    resources:
      - name: reports
        type: reports
        params:
          - filePattern: "**/*.csv"
            type: codeql
          - filePattern: "**/*.sarif"
            type: codeql
          - filePattern: "**/toolrun_codeql_*.json"
            type: codeql