目的
GitHubにはGitHub Advanced Securityがあるが、そのAzureDevOps版を利用して、コードスキャンを実行する
Advanced Securityの有効化の手順
- ReposのAdvanced Securityを選択する
- 有効化されていないと以下の画面になるので「Enable in settings」を押下
-
Project SettingsのRepositoriesの設定に飛ばされるので、Advanced SecurityトグルをONにする
-
有効化され、オプションでpush時のsecrets検査も可能になる
コードスキャン方法
- pipelinesにscan用を作成して実行する
trigger:
- main
pool:
# Additional hosted image options are available: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted#software
vmImage: ubuntu-latest
steps:
- task: AdvancedSecurity-Codeql-Init@1
inputs:
enableAutomaticCodeQLInstall: true
languages: 'javascript'
# Add your custom build steps here
# - Ensure that all code to be scanned is compiled (often using a `clean` command to ensure you're building from a clean state).
# - Disable the use of any build caching mechanisms as this can interfere with CodeQL's ability to capture all the necessary data during the build.
# - Disable the use of any distributed/multithreaded/incremental builds as CodeQL needs to monitor executions of the compiler to construct an accurate representation of the application.
# - For dependency scanning, ensure you have a package restore step for more accurate results.
# If you had a Maven app:
# - task: Maven@4
# inputs:
# mavenPomFile: 'pom.xml'
# goals: 'clean package'
# publishJUnitResults: true
# testResultsFiles: '**/TEST-*.xml'
# javaHomeOption: 'JDKVersion'
# jdkVersionOption: '1.17'
# mavenVersionOption: 'Default'
# Or a general script:
# - script: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- task: AdvancedSecurity-Dependency-Scanning@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-dependency-scanning-v1?view=azure-pipelines
- task: AdvancedSecurity-Codeql-Analyze@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-codeql-analyze-v1?view=azure-pipelines
コードスキャン結果の参照
codeScanのpipeline実行後に結果をCode scanningタブで参照できる