How to enable CodeQL using GitHub CI Tools

Question

I received a pull request to enable CodeQL scanning in my applications GitHub repository. How do I enable CodeQL when I’m using the built-in GitHub Actions CI tools?

Answer

The pull request includes a number of changes to your repository to set up CodeQL scanning. Even if CodeQL was previously enabled, additional changes are required to meet current VA scanning requirements. Enabling CodeQL at VA requires some additional configuration before merging the pull request. This technical note provides an overview of the process. The technical notes linked below provide more details on how to perform each step.

Please note, if you are using the Jenkins CI tools in your GitHub repository, please see this technical note instead.

Please note for compiled lanaguages, these steps assume you are already building your code in a CI pipeline. If you are not aleady building in a CI pipeline and the autobuild process fails, it is recommended to start by getting your application to build in the CI pipeline, then apply that knowledge to the code scanning.

The process to enable CodeQL for a repository consists of the following:

  1. Ignore repository (optional) - If the repository should not be scanned the developer must add a .emass-repo-ignore file. See Ignore repository for additional information.

  2. Update emass.json (required) - The pull request adds a file named emass.json which must be updated to map your application to an eMASS system. See Update emass.json for additional information.

  3. Exclude languages that can’t be scanned (optional) - The pull request identifies the languages supported by CodeQL that are present in the repository. If any of those languages cannot be scanned, you must exclude them from the scan. See Remove languages from the scan for additional information.

  4. Update when scans run (optional) - If the default scan frequency is not appropriate for your repository, update it. See Update scan frequency for additional information.

  5. Update build process (optional) - If the build process for your application must be updated to pull in dependencies or compile the application as needed. See Update build steps for additional information.

  6. Update where scans run (optional) - If your application requires self-hosted runners to access protected resources, update the scans to use those runners. See Update where scans run for additional information.

  7. Enable support for monorepos (optional) - If you operate a monorepo and need to split your application into multiple scans, or if you need to scan only a subset of the application, you can set custom paths and labels. See Scanning Monorepos for additional information.

  8. Merge pull request (required) - Merge the pull request into your repository to turn on the CodeQL scanning. See Merge pull request for additional information.

  9. Delete existing CodeQL workflow (optional) - If you have an existing CodeQL workflow in your .github/workflows directory with a filename other than `codeql-analysis.yml, you must delete it. The updated workflow introduced in the pull request will take precedence over any existing workflow.

If you need any help understanding or configuring this pull request, or with any help regarding Code Scanning in the future, please book a meeting OIS Software Assurance.