September 17th, 2024

Boosting Azure DevOps Security with GHAS Code Scanning

Developer Support
Cloud Solution Architects

Debjyoti Ganguly shares insights on the security benefits and configuration of GHAS Code Scanning with Azure DevOps.


Boosting Azure DevOps Security with GHAS Code Scanning

Code scanning, a pipeline-based tool available in GitHub Advanced Security, is designed to detect code vulnerabilities and bugs within the source code of ADO (Azure DevOps) repositories. Utilizing CodeQL as a static analysis tool, it performs query analysis and variant analysis. When vulnerabilities are found, it generates security alerts.

CodeQL

CodeQL is a powerful static analysis tool used for showing vulnerabilities and bugs in source code. It enables developers to write custom queries that analyze codebases, searching for specific patterns and potential security issues. By converting code into a database format, CodeQL allows for sophisticated, database-like queries to detect flaws.

CodeQL in Action

A diagram of a diagram Description automatically generated

1. Preparing the Code

  • Create a CodeQL Database: Extract and structure the code into a database for analysis.

2. Running CodeQL Queries

  • Execute Queries: Run predefined or custom queries against the database to find potential issues.

3. Interpreting the Query Results

  • Review Findings: Analyze the results to find, prioritize, and address vulnerabilities and code quality issues.

Reference: – About the CodeQL CLI – GitHub Docs

Sample Code Scanning Azure DevOps Pipeline

Once the GitHub Advanced security is configured for the ADO Repo we can then create and run a dedicated Code scanning pipeline to detect vulnerability & generate query results & alerts.Below is a generic sample Code scanning pipeline

Prerequisites:

  • GitHub Token (GitHub token): Required Pipeline Variable for authenticated operations with GitHub.
  • CodeQL Results File Path (codeql_results_file): Predefined in the pipeline YAML variable to specify where the analysis results are stored.
  • SARIF SAST Scans Tab extension: Need to install it from Azure DevOps Marketplace to view query results

A screenshot of a computer program Description automatically generated

For further insights and detailed guides, please refer to the following articles:

https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml

https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-code-scanning?view=azure-devops

Default setup of Code Scanning in GitHub Repository

Requirements for Using Default Setup

  • GitHub Actions: Must be enabled.

Recommendations

  • Enable default setup if there is any chance of including at least one CodeQL-supported language in the future.
  • Default setup will not run or use GitHub Actions minutes if no CodeQL-supported languages are present.
  • If CodeQL-supported languages are added, default setup will automatically begin scanning and using minutes.

Customizing Default Setup

  • Start with default setup.
  • Evaluate code scanning performance.
  • Customize if needed to better meet security needs.

Configuring Default Setup for a Repository

  1. Automatic Analysis: All CodeQL-supported languages will be analyzed.
  2. Successful Analysis: Languages analyzed successfully will be retained.
  3. Unsuccessful Analysis: Languages not analyzed successfully will be deselected.
  4. Failure Handling: If all analyses fail, default setup stays enabled but inactive until a supported language is added, or setup is manually reconfigured.

Steps to Enable Default Setup

  1. Navigate to Repository: Go to the main page of the repository.
  2. Access Settings:
    • Click on “Settings” under the repository name.
    • If “Settings” is not visible, select the dropdown menu and click “Settings”.
  3. Security Settings:
    • In the “Security” section of the sidebar, click “Code security and analysis”.
  4. Setup Code Scanning:

In the “Code scanning” section, select “Set up” and click “Default”.

A screenshot of a chat Description automatically generated

  1. Review Configuration:
    • A dialog will summarize the automatically created code scanning configuration.
    • Optionally, select a query suite in the “Query suites” section.
    • Extended query suite runs additional, lower severity and precision queries.
  2. Enable CodeQL: Review settings and click “Enable CodeQL” to trigger a workflow.
  3. View Configuration: After enablement, view the configuration by selecting the relevant choice.
  4. CodeQL Analysis Run: Once CodeQL is set up, it will run on the repository to check for vulnerabilities in the supported language code. You can view more information by clicking on the “View last scan” option.A screenshot of a computer Description automatically generatedA screenshot of a computer Description automatically generated
  5. View Security Alerts: It will run its default built-in queries on the repository code for the supported language (in this case, Python) and will generate alerts for any detected vulnerabilities.A screenshot of a computer Description automatically generated

    Reference Link for more insights

    https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning

    https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries

Benefits of Running Code QL for Developers

Responsibilities and Burdens

  • Initial Setup and Learning Curve: Requires time to set up and learn how to use effectively.
  • Maintenance of Queries: Custom queries may need updates as the codebase evolves.
  • False Positives: May generate false positives that need to be reviewed and addressed.
  • Integration Effort: Integrating Code QL into existing CI/CD pipelines can require significant effort.

Author

Developer Support
Cloud Solution Architects

Microsoft Developer Support helps software developers rapidly build and deploy quality applications for Microsoft platforms.

2 comments

  • Dan Anstis

    Thank you for clarifying how CodeQL operates. I have been using GHAS for some time, but I wasn’t aware of the underlying processes of CodeQL.

    • Debjyoti GangulyMicrosoft employee

      Thank you Dan & appreciate your feedback.