DevOps Intelligence supports CodeQL tool. This page describes the configuration requirements for this security tool.
CodeQLis an industry-leading semantic code analysis engine that enables the discovery of vulnerabilities across your codebase. Configure DevOps Intelligence to connect to CodeQL to pull security and vulnerability data from the security the security tool. Use the following guide.
Git Configuration
Before configuring DevOps Intelligence, you must first configure your Git applications.
GitHub
Name:
Local account name. It could be any string and is used only for reference.
User:
Username for Git. Generally, the login email ID.
Token:
Personal access token. Can be generated from the following:settings --> developer options --> personal access token The personal access token requires the following permissions:
User token
Add ProxyID(Optional); use the UUID for Proxy Adapter. For syncing secure alerts entity, the following permissions are required:
Sync secure alerts
Provide repository permissions by navigating GitHub repository main page --> Settings --> Code security and analysis --> Access to alerts and typing the user's name in the search field, and click the correct user from the display list:
Repository permissions
GitHub Enterprise
Name:
Local account name. Any string is valid; only for reference.
Host:
Git API URL of the Git Host. For example, API url such as https://github.abc.net/
User:
Username for GIT. Generally the email ID with which user logged in to Git.
Token:
Personal access token. Can be generated from the following: Settings --> developer options --> personal access token The personal access token requires the following permissions:
Personal token
For both GitHub and GitHub Enterprise you must add a DevOps Intelligence connection. Click Admin --> IAM --> Connections -->
Add New
button. Select
Add Connection
.
GitLab
Name:
Local connection name. It could be any string and is used only for reference.
User:
Username for GIT. Generally the email ID with which user logged in to GIT.
Token:
Personal access token. Generated using the following: Settings --> access token The personal access token requires the following permissions:
GitLab token scopes
GitLab Enterprise
Name:
Local connection name. It could be any string and is used only for reference
Host
Git API URL of the Git Host. For example, API url such as https://github.abc.net/
User
Username for GIT. Generally the email ID with which user logged in to GIT
ProxyID:
(Optional) Use UUID for Proxy Adapter
Token:
Personal access token. Generate from settings --> access tokens The personal access token requires the following permissions:
GitLab Enterprise token scopes
For both GitLab and GitLab Enterprise you must add a DevOps Intelligence connection. Click Admin --> IAM --> Connections -->
Add New
button. Select
Add Connection
.
When the syncall is enabled, all the organization and repositories for which the user has access will be synced:
Repository synced
DevOps Intelligence Configuration
Prerequisite: Before configuring DevOps Intelligence for CodeQL, ensure the proper roles have been assigned. The user must have the
view, create, update,
and
delete
roles respectively to view, create, update and delete the byo template data. These roles are provided by default to the Editor. Only viewer role will be provided to the Viewer.
Select the Organization name and Repository name to fetch the vulnerabilities from and Additional configurations for customizations, to create the configuration. Only organizations and repositories owned by user will be displayed in the dropdown.
When the configuration is successful the configuration is visible in the table present on the configuration page:
If there are no vulnerabilities in any repository or if code-scanning is not configured for that repository, then sync page shows error indicating that the "Endpoint data not found".