Cloud Services

DevOps Intelligence

CodeQL configuration
Published On Oct 02, 2024 - 1:07 PM

CodeQL configuration

Learn how to configure DevOps Intelligence to collect data acquired by Code Q, extending the single pane of glass DevOps Intelligence affords in your hybrid IT estate.
CodeQLis an industry-leading  semantic code analysis engine that enables the discovery of vulnerabilities across your codebase. Configure DevOps Intelligence to connect to CodeQL to pull security and vulnerability data from the security the security tool. Use the following guide.

Git Configuration

Before configuring DevOps Intelligence, you must first configure your Git applications.
GitHub
  • Name:
     Local account name. It could be any string and is used only for reference.
  • User:
     Username for Git. Generally, the login email ID.
  • Token:
     Personal access token. Can be generated from the following:settings --> developer options --> personal access token.
  • Add  ProxyID(Optional); use the UUID for Proxy Adapter.  For syncing secure alerts entity, the following permissions are required:
    Scope type
    Name
    Description
    repo
    • repo:status
    • repo_deployment
    • public_repo
    • repo:invite
    • security_events
    Full control of private repositories
    write:packages
    read:packages
    Download packages from GitHub Package Registry
    admin:org
    read:org
    Read organization and team membership, read organization projects
    admin:repo_hook
    read:repo_hook
    Read repository hooks
    admin:public_key
    read:public_key
    Read user public keys
    write discussion
    read:discussion
    Read team discussions
    user
    • read:user
    • user:email
    • user:follow
    Update ALL user data
  • Provide repository permissions by navigating GitHub repository main page --> Settings --> Code security and analysis --> Access to alerts and typing the user's name in the search field, and click the correct user from the display list.
GitHub Enterprise
  • Name:
     Local account name. Any string is valid; only for reference.
  • Host:
     Git API URL of the Git Host. For example, API url such as https://github.abc.net/
  • User:
     Username for GIT. Generally the email ID with which user logged in to Git.
  • Token:
    Personal access token. Can be generated from the following: Settings --> developer options --> personal access token The personal access token requires the following permissions:
    Scope type
    Name
    Description
    repo
    • repo:status
    • repo_deployment
    • public_repo
    • repo:invite
    Full control of private repositories
    admin:org
    read:org
    Read organization and team membership
    admin:repo_hook
    • write: repo_hook
    • read:repo_hook
    Full control of repository hooks
    admin:org_hook
    admin:org_hook
    Full control of organization hooks
    notifications
    notifications
    Access notifications
    write discussion
    read:discussion
    Read team discussions
    admin:pre_received_hook
    admin:pre_received_hook
    Control enforcement of pre-receive hooks for an organization or repository
  • For both GitHub and GitHub Enterprise you must add a DevOps Intelligence connection.  Click Admin --> IAM --> Connections -->
    Add New
     button. Select
    Add Connection
    .
GitLab
  • Name:
     Local connection name. It could be any string and is used only for reference.
  • User:
     Username for GIT. Generally the email ID with which user logged in to GIT.
  • Token:
     Personal access token. Generated using the following: Settings --> access token The personal access token requires the API permissions
GitLab Enterprise
  • Name:
     Local connection name. It could be any string and is used only for reference
  • Host
     Git API URL of the Git Host. For example, API url such as https://github.abc.net/
  • User
     Username for GIT. Generally the email ID with which user logged in to GIT
  • ProxyID:
    (Optional) Use UUID for Proxy Adapter
  • Token:
     Personal access token. Generate from settings --> access tokens The personal access token requires the API permission
  • For both GitLab and GitLab Enterprise you must add a DevOps Intelligence connection.  Click Admin --> IAM --> Connections -->
    Add New
     button. Select
    Add Connection
    .
When the syncall is enabled, all the organization and repositories for which the user has access will be synced.

DevOps Intelligence Configuration

Prerequisite: Before configuring DevOps Intelligence for CodeQL, ensure the proper roles have been assigned. The user must have the
view, create, update,
 and
delete
 roles respectively to view, create, update and delete the byo template data. These roles are provided by default to the Editor. Only viewer role will be provided to the Viewer.
Select the Organization name and Repository name to fetch the vulnerabilities from and Additional configurations for customizations, to create the configuration. Only organizations and repositories owned by user will be displayed in the dropdown.
If there are no vulnerabilities in any repository or if code-scanning is not configured for that repository, then sync page shows error indicating that the "Endpoint data not found".
Do you have two minutes for a quick survey?
Take Survey