Cloud Services

DevOps Intelligence

Expand menu Collapse menu

CodeQL configuration

Published On Dec 12, 2024 - 1:59 PM

CodeQL configuration

Learn how to configure DevOps Intelligence for the integration of Code QL to broaden the observability of your hybrid IT estate.

CodeQLis an industry-leading semantic code analysis engine that enables the discovery of vulnerabilities across your codebase. Configure DevOps Intelligence to connect to CodeQL to pull security and vulnerability data from the security the security tool. Use the following guide.

Configuring Git

Before configuring DevOps Intelligence for Code QL, you must first configure your Git applications.

GitHub

Name:
Local account name. It could be any string and is used only for reference.

User:
Username for Git. Generally, the login email ID.

Token:
Personal access token. Can be generated from the following:settings --> developer options --> personal access token.

Scope type

Name

Description

repo

repo:status

repo_deployment

public_repo

repo:invite

security_events

Full control of private repositories

write:packages

read:packages

Download packages from GitHub Package Registry

admin:org

read:org

Read organization and team membership, read organization projects

admin:repo_hook

read:repo_hook

Read repository hooks

admin:public_key

read:public_key

Read user public keys

write discussion

read:discussion

Read team discussions

user

read:user

user:email

user:follow

Update ALL user data

Provide repository permissions by navigating GitHub repository main page --> Settings --> Code security and analysis --> Access to alerts and typing the user's name in the search field, and click the correct user from the display list.

GitHub Enterprise

Name:
Local account name. Any string is valid; only for reference.

Host:
Git API URL of the Git Host. For example, API url such as https://github.abc.net/

User:
Username for GIT. Generally the email ID with which user logged in to Git.

Token:
Personal access token. Can be generated from the following: Settings --> developer options --> personal access token The personal access token requires the following permissions:

Scope type	Name	Description
repo	repo:status repo_deployment public_repo repo:invite	Full control of private repositories
admin:org	read:org	Read organization and team membership
admin:repo_hook	write: repo_hook read:repo_hook	Full control of repository hooks
admin:org_hook	admin:org_hook	Full control of organization hooks
notifications	notifications	Access notifications
write discussion	read:discussion	Read team discussions
admin:pre_received_hook	admin:pre_received_hook	Control enforcement of pre-receive hooks for an organization or repository

For both GitHub and GitHub Enterprise you must add a DevOps Intelligence connection. Click Admin --> IAM --> Connections --> Add New
button. Select Add Connection
.

GitLab

Name:
Local connection name. It could be any string and is used only for reference.

User:
Username for GIT. Generally the email ID with which user logged in to GIT.

Token:
Personal access token. Generated using the following: Settings --> access token The personal access token requires the API permissions

GitLab Enterprise

Name:
Local connection name. It could be any string and is used only for reference

Host
Git API URL of the Git Host. For example, API url such as https://github.abc.net/

User
Username for GIT. Generally the email ID with which user logged in to GIT

ProxyID:
(Optional) Use UUID for Proxy Adapter

Token:
Personal access token. Generate from settings --> access tokens The personal access token requires the API permission

For both GitLab and GitLab Enterprise you must add a DevOps Intelligence connection. Click Admin --> IAM --> Connections --> Add New
button. Select Add Connection
.

When the syncall is enabled, all the organization and repositories for which the user has access will be synced.

Configuring DevOps Intelligence for Code QL, recent customers

The procedures in this section are valid only for customers onboarded 6 June 2024 or after. Procedures for legacy customers are provided in the subsequent section Configuring DevOps Intelligence for Code QL, legacy customers
.

Use the following procedure to configure the DevOps Intelligence for Code QL:

Tools must be configured for a specific application in a specific DevOps phase. In step 2 of the following procedure, you are choosing the application and DevOps phase to associate with Azure Pipeline as part of the configuration procedure.

Click
Settings & Utilities
→ Application Configuration
. You will see a list of existing applications.

Select the existing application for which you want to configure Azure Pipelines or create a new application.

Click the overflow menu (vertical ellipsis) on the Build row for the selected application.

Select Add New Tool Configuration
from the overflow menu. The service displays the Add Tool Configuration
form.

Select Scan
for Secure Categories
. The service displays the Tool Engine
field.

Select Code QL for Tool Engine
. The service displays the release ID fields, which are prepopulated.

Click Submit
.

Onboarding the Code QL technical service

After configuring DevOps Intelligence for Code QL, you must onboard Code QL as a technical service. Use the following procedure:

Click the overflow menu for the selected application.

Select Onboard Technical Service
. The service displays the Onboard Technical Service form.

Select Static Scan
for DevOps Phase
. The service displays the Tool Engine field.

Select Code QL
for Tool Engine
. The service displays the Select Connection
field.

Select the appropriate connection. The service displays the Select Organization
field.

Select the appropriate organization. The service displays the Select Projects
field.

Select the appropriate project. The service displays the Repository Name field.

Select the appropriate repository.

Click Onboard
. The service navigates to the Application Configuration page.

You now have the option of clicking the overflow menu for Develop and selecting Edit/Delete Tools Configuration
to confirm that DevOps Intelligence has been fully configured for CodeQL.

Deleting Code QL as a technical service

The administrator may, at will, delete the Code QL technical service. Use the following procedure:

Navigate to DevOps Intelligence → Settings & Utilities
→ Application Configuration
.

Expand the application to view all associated phases.

Click the Overflow menu for Secure
.

Click Delete Technical Service
.

Click Code QL
for Select Tools Configured
. The service displays the Select Organization
field.

Select the appropriate organization. The service displays the Select Projects
field.

Select the appropriate project.

Click Delete
.

Configuring DevOps Intelligence for Code QL, legacy customers

The procedures in this section are valid only for customers onboarded before 6 June 2024.

Prerequisite: Before configuring DevOps Intelligence for CodeQL, ensure the proper roles have been assigned. The user must have the view, create, update,
and delete
roles respectively to view, create, update and delete the BYO template data. These roles are provided by default to the Editor. Only viewer role will be provided to the Viewer.

Select the Organization name and Repository name to fetch the vulnerabilities from and Additional configurations for customizations, to create the configuration. Only organizations and repositories owned by user will be displayed in the dropdown.

If there are no vulnerabilities in any repository or if code-scanning is not configured for that repository, then sync page shows error indicating that the "Endpoint data not found".

Secure

Do you have two minutes for a quick survey?

Take Survey