GitHub Advanced Security from Azure DevOps? github ‘security “azuredevops ‘/codeq| GitHub Advanced Security now supports the ability to analyze your code for vulnerabilities from third-party Cl pipelines, while previously, instead, this capability was available exclusively with GitHub Actions. In this post (and video) | will show you how to use Code Scanning to scan a GitHub Repository from an Azure DevOps pipeline using the YAML editor. Intro Alright, as I've mentioned before, rather than leveraging the native GitHub Actions workflow with the standard "Set Up Workflow” experience, today we are going to use an Azure DevOps Pipeline to scan the Code we have in our GitHub repo. Let's take a look at the steps we would need to perform to integrate GitHub Advanced Security for Code Scanning with Azure DevOps: INTEGRATION STEPS 1. DOWNLOAD THE LATEST CODEGL DEPENDENCIES ON YOUR AGENT, 2, GIVE CODEQL ACCESS 70 YOUR REPOSITORY. 3, _ INITIALIZE THE CODEQL EXECUTABLE AND CREATE A GUERYABLE DB. 4, SCAN YOUR APPLICATION. 5. UPLOAD RESULTS TO GITHUB. 6. REVIEW YOUR RESULTS, 7. CUSTOMIZE YOUR SCAN FURTHER Since the Azure Pipelines Agent | am using is ephemeral, because I'm using the Hosted Agents, Ill have to install the CodeQL package on each pipeline execution. If you are using a self-hosted agent instead consider pre-installing the package to save time and compute resources. Video As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.Link to the video: https://youtu.be/ZgR90vWpBOw) If you rather prefer reading, well... let's just continue :) Download CodeQL First thing we have to do, as we have seen in the list of steps, is to Download the latest CodeQL dependencies on my agent. script: | wget https://github.com/github/codeq|-action/releases/latest/download/codeql-runner-linux chmod +x codeql-runner-linux displayName: ‘Get latest CodeQL package. Install on Agent.’ Since this Pipeline runs on Linux, using wget and targeting the latest Linux release | can download all necessary files to my directory. | also change permissions for the downloaded file before | run it Authorizing CodeQL Next, we need to give that pipeline full access to our repo. To do so, we need to create a GitHub Personal Access Token. (see how) For private repositories the token must have the whole repo scope. For public repos, instead, the token needs only the publicrepo and repo'security events scopes. Then we need to save the PAT as a variable in the Pipeline. Remember to set it as a secret. For security sake, I'd recommend you using Azure KeyVault, save the PAT there and reference it into Auure Pipelines. Now that we have the GitHub Personal Access Token saved in Azure Pipelines, we can initialize CodeQl. Initialize CodeQL Let's initialize the CodeQL Executable and create a CodeQL database for the language detected. Once again we need to add a script step to our workflow: script: | Jcodeql-runner-linux init \ --repository YOUR_REPO_NAME \ jithub-url https://github.com \ ithub-auth $GITHUB_PAT\, config-file .github/codeql/codeq|-config.yml displayName: ‘Initialize CodeQL Executable and create a CodeQL database’ Replace the YOUR REPO_NAME placeholder with the whole name of the repo you want to scan, for example "n3wtOn/myrepo" Also, the $GITHUB_PAT is the name of the variable where I've saved the PAT. If you want to analyze a compiled language like Net, Java and so on, remember to execute the build AFTER the CodeQL Init step but BEFORE the Analyze step. In fact the init step will create a script for you that you have to execute before building your code in order for CodeQL to be able to monitor the build as well Analyze the repoFinally, | want to populate the CodeQL runner databases, analyze them, and upload the results to GitHub. Let's add the final script - script: | Jcodeql-runner-linux analyze \ --repository YOUR_REPO_NAME \ ithub-url https://github.com \ github-auth $GITHUB_PAT \ --commit $(Build SourceVersion) \ ~-ref $(Build SourceBranch) displayName: ‘Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.’ Once again, replace the YOUR REPO_NAME placeholder with the whole name of the repo you want to scan. Here we also have 2 more parameters: --commit: this is the SHA of the commit you want to scan ~-ref: this is the fully qualified ref name of the branch you want to scan (ie. refs/heads/master) In my case | retrieve both parameters from variables, which is an approach | would recommend Conclusion And that is basically it. You can now run the Pipelines and, if successful, you should be able to navigate back to your GitHub repository security tab under code scanning to view the results of your scan