Boosting Code Security with GHAS Code Scanning in Azure DevOps & GitHub

[Debjyoti_chrips]

Code scanning, a pipeline-based tool available in GitHub Advanced Security, is designed to detect code vulnerabilities and bugs within the source code of ADO (Azure DevOps) repositories. Utilizing CodeQL as a static analysis tool, it performs query analysis and variant analysis. When vulnerabilities are found, it generates security alerts.



CodeQL



CodeQL is a powerful static analysis tool used for showing vulnerabilities and bugs in source code. It enables developers to write custom queries that analyze codebases, searching for specific patterns and potential security issues. By converting code into a database format, CodeQL allows for sophisticated, database-like queries to detect flaws.

CodeQL in Action​

1. Preparing the Code​

• Create a CodeQL Database: Extract and structure the code into a database for analysis.

2. Running CodeQL Queries​

• Execute Queries: Run predefined or custom queries against the database to find potential issues.

3. Interpreting the Query Results​

• Review Findings: Analyze the results to find, prioritize, and address vulnerabilities and code quality issues.

Reference: - About the CodeQL CLI - GitHub Docs

Sample Code Scanning Azure DevOps Pipeline​

1. Once the GitHub Advanced security is configured for the ADO Repo we can then create and run a dedicated Code scanning pipeline to detect vulnerability & generate query results & alerts.
   
   Below is a generic sample Code scanning pipeline
   
   
2. Prerequisites: -
   
   GitHub Token (GitHub token): Required Pipeline Variable for authenticated operations with GitHub.

CodeQL Results File Path (codeql_results_file): Predefined in the pipeline YAML variable to specify where the analysis results are stored.

SARIF SAST Scans Tab extension: Need to install it from Azure DevOps Marketplace to view query results

# Author: Debjyoti
# This pipeline uses default CodeQL queries for code scanning

trigger: none

pool:
  vmImage: 'windows-latest'

variables:
  codeql_results_file: '$(Build.ArtifactStagingDirectory)/results.sarif'

steps:
- task: AdvancedSecurity-Codeql-Init@1
  displayName: 'Initialize CodeQL'
  inputs:
    languages: 'python'
    loglevel: '2'
  env:
    GITHUB_TOKEN: $(githubtoken)

- task: AdvancedSecurity-Codeql-Autobuild@1
  displayName: 'AutoBuild'

- task: AdvancedSecurity-Codeql-Analyze@1
  displayName: 'Perform CodeQL Analysis'
  inputs:
    outputFile: '$(codeql_results_file)'

- task: PublishBuildArtifacts@1
  displayName: 'Publish CodeQL Results'
  inputs:
    pathToPublish: '$(codeql_results_file)'
    artifactName: 'CodeQLResults'

For further insights and detailed guides, please refer to the following articles:

https://learn.microsoft.com/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml


https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops

Default setup of Code Scanning in GitHub Repository​

Requirements for Using Default Setup​

• GitHub Actions: Must be enabled.

Recommendations​

• Enable default setup if there is any chance of including at least one CodeQL-supported language in the future.
• Default setup will not run or use GitHub Actions minutes if no CodeQL-supported languages are present.
• If CodeQL-supported languages are added, default setup will automatically begin scanning and using minutes.

Customizing Default Setup​

• Start with default setup.
• Evaluate code scanning performance.
• Customize if needed to better meet security needs.

Configuring Default Setup for a Repository​

1. Automatic Analysis: All CodeQL-supported languages will be analyzed.
2. Successful Analysis: Languages analyzed successfully will be retained.
3. Unsuccessful Analysis: Languages not analyzed successfully will be deselected.
4. Failure Handling: If all analyses fail, default setup stays enabled but inactive until a supported language is added, or setup is manually reconfigured.

Steps to Enable Default Setup​

1. Navigate to Repository: Go to the main page of the repository.
2. Access Settings:
   • Click on "Settings" under the repository name.
   • If "Settings" is not visible, select the dropdown menu and click "Settings".
3. Security Settings:

In the "Security" section of the sidebar, click "Code security and analysis".
​

4. Setup Code Scanning: In the "Code scanning" section, select "Set up" and click "Default".





Review Configuration:

1. • A dialog will summarize the automatically created code scanning configuration.
   • Optionally, select a query suite in the "Query suites" section.
   • Extended query suite runs additional, lower severity and precision queries.
     
2. Enable CodeQL: Review settings and click "Enable CodeQL" to trigger a workflow.
3. View Configuration: After enablement, view the configuration by selecting the relevant choice.
4. CodeQL Analysis Run: Once CodeQL is set up, it will run on the repository to check for vulnerabilities in the supported language code. You can view more information by clicking on the "View last scan" option.
   
   
   
   

View Security Alerts: It will run its default built-in queries on the repository code for the supported language (in this case, Python) and will generate alerts for any detected vulnerabilities.




Reference Link for more insights -



Configuring default setup for code scanning - GitHub Docs
Python queries for CodeQL analysis - GitHub Docs



Benefits of Running Code QL for Developers









Responsibilities and Burdens

• Initial Setup and Learning Curve: Requires time to set up and learn how to use effectively.
• Maintenance of Queries: Custom queries may need updates as the codebase evolves.
• False Positives: May generate false positives that need to be reviewed and addressed.
• Integration Effort: Integrating Code QL into existing CI/CD pipelines can require significant effort.

Continue reading...