Cloud Services

DevOps Intelligence

CodeQL configuration
Published On Jun 20, 2024 - 10:21 AM

CodeQL configuration

DevOps Intelligence supports CodeQL tool. This page describes the configuration requirements for this security tool.
CodeQLis an industry-leading  semantic code analysis engine that enables the discovery of vulnerabilities across your codebase. Configure DevOps Intelligence to connect to CodeQL to pull security and vulnerability data from the security the security tool. Use the following guide.

Git Configuration

Before configuring DevOps Intelligence, you must first configure your Git applications.
GitHub
  • Name:
    Local account name. It could be any string and is used only for reference.
  • User:
    Username for Git. Generally, the login email ID.
  • Token:
    Personal access token. Can be generated from the following:settings --> developer options --> personal access token The personal access token requires the following permissions:
    User token
  • Add  ProxyID(Optional); use the UUID for Proxy Adapter.  For syncing secure alerts entity, the following permissions are required:
    Sync secure alerts
    codeql_git_2
  • Provide repository permissions by navigating GitHub repository main page --> Settings --> Code security and analysis --> Access to alerts and typing the user's name in the search field, and click the correct user from the display list:
    Repository permissions
    codeql_git_3
GitHub Enterprise
  • Name:
    Local account name. Any string is valid; only for reference.
  • Host:
    Git API URL of the Git Host. For example, API url such as https://github.abc.net/
  • User:
    Username for GIT. Generally the email ID with which user logged in to Git.
  • Token:
    Personal access token. Can be generated from the following: Settings --> developer options --> personal access token The personal access token requires the following permissions:
    Personal token
    codeql_git_4
  • For both GitHub and GitHub Enterprise you must add a DevOps Intelligence connection.  Click Admin --> IAM --> Connections -->
    Add New
    button. Select
    Add Connection
    .
GitLab
  • Name:
    Local connection name. It could be any string and is used only for reference.
  • User:
    Username for GIT. Generally the email ID with which user logged in to GIT.
  • Token:
    Personal access token. Generated using the following: Settings --> access token The personal access token requires the following permissions:
    GitLab token scopes
    codeql_git_7
GitLab Enterprise
  • Name:
    Local connection name. It could be any string and is used only for reference
  • Host
    Git API URL of the Git Host. For example, API url such as https://github.abc.net/
  • User
    Username for GIT. Generally the email ID with which user logged in to GIT
  • ProxyID:
    (Optional) Use UUID for Proxy Adapter
  • Token:
    Personal access token. Generate from settings --> access tokens The personal access token requires the following permissions:
    GitLab Enterprise token scopes
    codeql_git_8
  • For both GitLab and GitLab Enterprise you must add a DevOps Intelligence connection.  Click Admin --> IAM --> Connections -->
    Add New
    button. Select
    Add Connection
    .
When the syncall is enabled, all the organization and repositories for which the user has access will be synced:
Repository synced
codeql_git_10

DevOps Intelligence Configuration

Prerequisite: Before configuring DevOps Intelligence for CodeQL, ensure the proper roles have been assigned. The user must have the
view, create, update,
and
delete
roles respectively to view, create, update and delete the byo template data. These roles are provided by default to the Editor. Only viewer role will be provided to the Viewer.
Select the Organization name and Repository name to fetch the vulnerabilities from and Additional configurations for customizations, to create the configuration. Only organizations and repositories owned by user will be displayed in the dropdown.
When the configuration is successful the configuration is visible in the table present on the configuration page:
If there are no vulnerabilities in any repository or if code-scanning is not configured for that repository, then sync page shows error indicating that the "Endpoint data not found".
Do you have two minutes for a quick survey?
Take Survey