CodeQL configuration
configuring git codeqlis an industry leading semantic code analysis engine that enables the discovery of vulnerabilities across your codebase configure to connect to codeql to pull security and vulnerability data from the security the security tool use the following guide before configuring for code ql, you must first configure your git applica tions github name local account name it could be any string and is used only for reference user username for git generally, the login email id token personal access token can be generated from the following\ settings > developer options > personal access token scope type name description repo repo\ status repo deployment public repo repo\ invite security events full control of private repositories write\ packages read\ packages download packages from github package registry admin\ org read\ org read organization and team membership, read organization projects admin\ repo hook read\ repo hook read repository hooks admin\ public key read\ public key read user public keys write discussion read\ discussion read team discussions user read\ user user\ email user\ follow update all user data provide repository permissions by navigating github repository main page > settings > code security and analysis > access to alerts and typing the user's name in the search field, and click the correct user from the display list github enterprise name local account name any string is valid; only for reference host git api url of the git host for example, api url such as https //github abc net/ user username for git generally the email id with which user logged in to git token personal access token can be generated from the following settings > developer options > personal access token the personal access token requires the following permissions scope type name description repo repo\ status repo deployment public repo repo\ invite full control of private repositories admin\ org read\ org read organization and team membership admin\ repo hook write repo hook read\ repo hook full control of repository hooks admin\ org hook admin\ org hook full control of organization hooks notifications notifications access notifications write discussion read\ discussion read team discussions admin\ pre received hook admin\ pre received hook control enforcement of pre receive hooks for an organization or repository for both github and github enterprise you must add a connection click admin > iam > connections > add new button select add connection gitlab name local connection name it could be any string and is used only for reference user username for git generally the email id with which user logged in to git token personal access token generated using the following settings > access token the personal access token requires the api permissions gitlab enterprise name local connection name it could be any string and is used only for reference host git api url of the git host for example, api url such as https //github abc net/ user username for git generally the email id with which user logged in to git proxyid (optional) use uuid for proxy adapter token personal access token generate from settings > access tokens the personal access token requires the api permission for both gitlab and gitlab enterprise you must add a devops intelligence connection click admin > iam > connections > add new button select add connection when the syncall is enabled, all the organization and repositories for which the user has access will be synced configuring for code ql, recent customers the procedures in this section are valid only for customers onboarded 6 june 2024 or after procedures for legacy customers are provided in the subsequent section configuring for code ql, legacy customers use the following procedure to configure the for code ql tools must be configured for a specific application in a specific devops phase in step 2 of the following procedure, you are choosing the application and devops phase to associate with azure pipeline as part of the configuration procedure click settings & utilities → application configuration you will see a list of existing applications select the existing application for which you want to configure azure pipelines or create a new application click the overflow menu (vertical ellipsis) on the build row for the selected application select add new tool configuration from the overflow menu the service displays the add tool configuration form select scan for secure categories the service displays the tool engine field select code ql for tool engine the service displays the release id fields, which are prepopulated click submit onboarding the code ql technical service after configuring for code ql, you must onboard code ql as a technical service use the following procedure click the overflow menu for the selected application select onboard technical service the service displays the onboard technical service form select static scan for devops phase the service displays the tool engine field select code ql for tool engine the service displays the select connection field select the appropriate connection the service displays the select organization field select the appropriate organization the service displays the select projects field select the appropriate project the service displays the repository name field select the appropriate repository click onboard the service navigates to the application configuration page you now have the option of clicking the overflow menu for develop and selecting edit/delete tools configuration to confirm that has been fully configured for codeql deleting code ql as a technical service the administrator may, at will, delete the code ql technical service use the following procedure navigate to → settings & utilities → application configuration expand the application to view all associated phases click the overflow menu for secure click delete technical service click code ql for select tools configured the service displays the select organization field select the appropriate organization the service displays the select projects field select the appropriate project click delete configuring for code ql, legacy customers the procedures in this section are valid only for customers onboarded before 6 june 2024 prerequisite before configuring for codeql, ensure the proper roles have been assigned the user must have the view, create, update, and delete roles respectively to view, create, update and delete the byo template data these roles are provided by default to the editor only viewer role will be provided to the viewer select the organization name and repository name to fetch the vulnerabilities from and additional configurations for customizations, to create the configuration only organizations and repositories owned by user will be displayed in the dropdown if there are no vulnerabilities in any repository or if code scanning is not configured for that repository, then sync page shows error indicating that the "endpoint data not found"