Azure DevOps ReposでAdvanced Securityを有効にしてcodeScanする

目的

GitHubにはGitHub Advanced Securityがあるが、そのAzureDevOps版を利用して、コードスキャンを実行する

Advanced Securityの有効化の手順

参考:
https://learn.microsoft.com/ja-jp/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml

• ReposのAdvanced Securityを選択する

• 有効化されていないと以下の画面になるので「Enable in settings」を押下

• Project SettingsのRepositoriesの設定に飛ばされるので、Advanced SecurityトグルをONにする
  

• unique committer人数に対しての課金になるので問題なければ「Begin billing」を押下
  

  • 課金：https://learn.microsoft.com/ja-jp/azure/devops/repos/security/github-advanced-security-billing?view=azure-devops

• 有効化され、オプションでpush時のsecrets検査も可能になる

コードスキャン方法

参考：https://learn.microsoft.com/ja-jp/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops

• pipelinesにscan用を作成して実行する

trigger:
  - main

pool:
  # Additional hosted image options are available: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted#software
  vmImage: ubuntu-latest

steps:

  - task: AdvancedSecurity-Codeql-Init@1
    inputs:
      enableAutomaticCodeQLInstall: true
      languages: 'javascript'

#   Add your custom build steps here
# - Ensure that all code to be scanned is compiled (often using a `clean` command to ensure you're building from a clean state).
# - Disable the use of any build caching mechanisms as this can interfere with CodeQL's ability to capture all the necessary data during the build.
# - Disable the use of any distributed/multithreaded/incremental builds as CodeQL needs to monitor executions of the compiler to construct an accurate representation of the application.
# - For dependency scanning, ensure you have a package restore step for more accurate results.

# If you had a Maven app:
#   - task: Maven@4
#     inputs:
#       mavenPomFile: 'pom.xml'
#       goals: 'clean package'
#       publishJUnitResults: true
#       testResultsFiles: '**/TEST-*.xml'
#       javaHomeOption: 'JDKVersion'
#       jdkVersionOption: '1.17'
#       mavenVersionOption: 'Default'

# Or a general script:
#   - script: |
#       echo "Run, Build Application using script"
#       ./location_of_script_within_repo/buildscript.sh

  - task: AdvancedSecurity-Dependency-Scanning@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-dependency-scanning-v1?view=azure-pipelines

  - task: AdvancedSecurity-Codeql-Analyze@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-codeql-analyze-v1?view=azure-pipelines

コードスキャン結果の参照

codeScanのpipeline実行後に結果をCode scanningタブで参照できる