{"id":42277,"date":"2024-09-17T00:00:27","date_gmt":"2024-09-17T07:00:27","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=42277"},"modified":"2024-09-13T13:03:35","modified_gmt":"2024-09-13T20:03:35","slug":"boosting-azure-devops-security-with-ghas-code-scanning","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/boosting-azure-devops-security-with-ghas-code-scanning\/","title":{"rendered":"Boosting Azure DevOps Security with GHAS Code Scanning"},"content":{"rendered":"<p><a href=\"https:\/\/www.linkedin.com\/in\/debjyoti-ganguly-5a4862144\/\" target=\"_blank\" rel=\"noopener\">Debjyoti Ganguly<\/a> shares insights on the security benefits and configuration of GHAS Code Scanning with Azure DevOps.<\/p>\n<hr \/>\n<h2>Boosting Azure DevOps Security with GHAS Code Scanning<\/h2>\n<p>Code scanning, a pipeline-based tool available in GitHub Advanced Security, is designed to detect code vulnerabilities and bugs within the source code of ADO (Azure DevOps) repositories. Utilizing CodeQL as a static analysis tool, it performs query analysis and variant analysis. When vulnerabilities are found, it generates security alerts.<\/p>\n<h3>CodeQL<\/h3>\n<p>CodeQL is a powerful static analysis tool used for showing vulnerabilities and bugs in source code. It enables developers to write custom queries that analyze codebases, searching for specific patterns and potential security issues. By converting code into a database format, CodeQL allows for sophisticated, database-like queries to detect flaws.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-42279 size-full\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-2.png\" alt=\"\" width=\"641\" height=\"400\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-2.png 641w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-2-300x187.png 300w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><\/p>\n<h3>CodeQL in Action<\/h3>\n<p><img decoding=\"async\" class=\"alignnone wp-image-42280\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-1024x499.png\" alt=\"A diagram of a diagram Description automatically generated\" width=\"641\" height=\"312\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-1024x499.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-300x146.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-768x374.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-1536x748.png 1536w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-diagram-of-a-diagram-description-automatically-2048x997.png 2048w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><\/p>\n<h4>1. Preparing the Code<\/h4>\n<ul>\n<li><strong>Create a CodeQL Database<\/strong>: Extract and structure the code into a database for analysis.<\/li>\n<\/ul>\n<h4>2. Running CodeQL Queries<\/h4>\n<ul>\n<li><strong>Execute Queries<\/strong>: Run predefined or custom queries against the database to find potential issues.<\/li>\n<\/ul>\n<h4>3. Interpreting the Query Results<\/h4>\n<ul>\n<li><strong>Review Findings<\/strong>: Analyze the results to find, prioritize, and address vulnerabilities and code quality issues.<\/li>\n<\/ul>\n<p>Reference: &#8211; <a href=\"https:\/\/docs.github.com\/en\/code-security\/codeql-cli\/getting-started-with-the-codeql-cli\/about-the-codeql-cli\">About the CodeQL <\/a>CLI &#8211; GitHub Docs<\/p>\n<h3>Sample Code Scanning Azure DevOps Pipeline<\/h3>\n<p>Once the GitHub Advanced security is configured for the ADO Repo we can then create and run a dedicated Code scanning pipeline to detect vulnerability &amp; generate query results &amp; alerts.Below is a generic sample Code scanning pipeline<\/p>\n<p>Prerequisites<strong><strong>:<\/strong><\/strong><\/p>\n<ul>\n<li><strong>GitHub Token (GitHub token)<\/strong>: Required Pipeline Variable for authenticated operations with GitHub.<\/li>\n<li><strong>CodeQL Results File Path (codeql_results_file)<\/strong>: Predefined in the pipeline YAML variable to specify where the analysis results are stored.<\/li>\n<li><strong>SARIF <\/strong><strong>SAST Scans Tab extension<\/strong>: Need to install it from Azure DevOps Marketplace to view query results<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"alignnone wp-image-42281 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-1003x1024.png\" alt=\"A screenshot of a computer program Description automatically generated\" width=\"1003\" height=\"1024\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-1003x1024.png 1003w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-294x300.png 294w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-768x784.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-1504x1536.png 1504w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-24x24.png 24w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au-48x48.png 48w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-program-description-au.png 1851w\" sizes=\"(max-width: 1003px) 100vw, 1003px\" \/><\/p>\n<p>For further insights and detailed guides, please refer to the following articles:<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/repos\/security\/configure-github-advanced-security-features?view=azure-devops&amp;tabs=yaml\">https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/repos\/security\/configure-github-advanced-security-features?view=azure-devops&amp;tabs=yaml<\/a><\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/repos\/security\/github-advanced-security-code-scanning?view=azure-devops\">https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/repos\/security\/github-advanced-security-code-scanning?view=azure-devops<\/a><\/p>\n<h3>Default setup of Code Scanning in GitHub Repository<\/h3>\n<h4>Requirements for Using Default Setup<\/h4>\n<ul>\n<li><strong>GitHub Actions<\/strong>: Must be enabled.<\/li>\n<\/ul>\n<h4>Recommendations<\/h4>\n<ul>\n<li>Enable default setup if there is any chance of including at least one CodeQL-supported language in the future.<\/li>\n<li>Default setup will not run or use GitHub Actions minutes if no CodeQL-supported languages are present.<\/li>\n<li>If CodeQL-supported languages are added, default setup will automatically begin scanning and using minutes.<\/li>\n<\/ul>\n<h4>Customizing Default Setup<\/h4>\n<ul>\n<li>Start with default setup.<\/li>\n<li>Evaluate code scanning performance.<\/li>\n<li>Customize if needed to better meet security needs.<\/li>\n<\/ul>\n<h4>Configuring Default Setup for a Repository<\/h4>\n<ol>\n<li><strong>Automatic Analysis<\/strong>: All CodeQL-supported languages will be analyzed.<\/li>\n<li><strong>Successful Analysis<\/strong>: Languages analyzed successfully will be <a id=\"post-42277-_Int_2Flc0TjA\"><\/a>retained.<\/li>\n<li><strong>Unsuccessful Analysis<\/strong>: Languages not analyzed successfully will be deselected.<\/li>\n<li><strong>Failure Handling<\/strong>: If all analyses fail, default setup stays enabled but inactive until a supported language is added, or setup is manually reconfigured.<\/li>\n<\/ol>\n<h4>Steps to Enable Default Setup<\/h4>\n<ol>\n<li><strong>Navigate to Repository<\/strong>: Go to the main page of the repository.<\/li>\n<li><strong>Access Settings<\/strong>:\n<ul>\n<li>Click on &#8220;Settings&#8221; under the repository name.<\/li>\n<li>If &#8220;Settings&#8221; is not visible, select the dropdown menu and click &#8220;Settings&#8221;.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Security Settings<\/strong>:\n<ul>\n<li>In the &#8220;Security&#8221; section of the sidebar, click &#8220;Code security and analysis&#8221;.<img decoding=\"async\" class=\"alignnone wp-image-42282 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-1024x532.png\" alt=\"\" width=\"1024\" height=\"532\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-1024x532.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-300x156.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-768x399.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-1536x797.png 1536w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-5-2048x1063.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/li>\n<\/ul>\n<\/li>\n<li><strong>Setup Code Scanning<\/strong>:<\/li>\n<\/ol>\n<p>In the &#8220;Code scanning&#8221; section, select &#8220;Set up&#8221; and click &#8220;Default&#8221;.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-42283 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically-770x1024.png\" alt=\"A screenshot of a chat Description automatically generated\" width=\"770\" height=\"1024\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically-770x1024.png 770w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically-225x300.png 225w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically-768x1022.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically-1154x1536.png 1154w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-chat-description-automatically.png 1425w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><\/p>\n<ol start=\"5\">\n<li><strong>Review Configuration<\/strong>:\n<ul>\n<li>A dialog will summarize the automatically created code scanning configuration.<\/li>\n<li>Optionally, select a query suite in the &#8220;Query suites&#8221; section.<\/li>\n<li>Extended query suite runs <a id=\"post-42277-_Int_s5tg9XHK\"><\/a>additional, lower severity and precision queries.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Enable CodeQL<\/strong>: Review settings and click &#8220;Enable CodeQL&#8221; to trigger a workflow.<\/li>\n<li><strong>View Configuration<\/strong>: After enablement, view the configuration by selecting the relevant choice.<\/li>\n<li><strong>CodeQL Analysis Run<\/strong>: Once CodeQL is set up, it will run on the repository to check for vulnerabilities in the supported language code. You can view more information by clicking on the &#8220;View last scan&#8221; option.<img decoding=\"async\" class=\"alignnone wp-image-42284 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1024x413.png\" alt=\"A screenshot of a computer Description automatically generated\" width=\"1024\" height=\"413\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1024x413.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-300x121.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-768x310.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1536x620.png 1536w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2048x826.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><img decoding=\"async\" class=\"alignnone wp-image-42285 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-1024x715.png\" alt=\"A screenshot of a computer Description automatically generated\" width=\"1024\" height=\"715\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-1024x715.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-300x210.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-768x537.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-1536x1073.png 1536w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-1-2048x1431.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/li>\n<li><strong>View Security Alerts<\/strong>: It will run its default built-in queries on the repository code for the supported language (in this case, Python) and will generate alerts for any detected vulnerabilities.<img decoding=\"async\" class=\"alignnone wp-image-42286 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2-1024x371.png\" alt=\"A screenshot of a computer Description automatically generated\" width=\"1024\" height=\"371\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2-1024x371.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2-300x109.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2-768x278.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/a-screenshot-of-a-computer-description-automatica-2.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\n<h3><\/h3>\n<h3>Reference Link for more insights<\/h3>\n<p><a href=\"https:\/\/docs.github.com\/en\/code-security\/code-scanning\/enabling-code-scanning\/configuring-default-setup-for-code-scanning\">https:\/\/docs.github.com\/en\/code-security\/code-scanning\/enabling-code-scanning\/configuring-default-setup-for-code-scanning<\/a><\/p>\n<p><a href=\"https:\/\/docs.github.com\/en\/code-security\/code-scanning\/managing-your-code-scanning-configuration\/python-built-in-queries\">https:\/\/docs.github.com\/en\/code-security\/code-scanning\/managing-your-code-scanning-configuration\/python-built-in-queries<\/a><\/li>\n<\/ol>\n<p>Benefits of Running Code QL for Developers<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-42287 size-large\" src=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-10-1024x717.png\" alt=\"\" width=\"1024\" height=\"717\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-10-1024x717.png 1024w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-10-300x210.png 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-10-768x538.png 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2024\/09\/word-image-42277-10.png 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Responsibilities and Burdens<\/p>\n<ul>\n<li><strong>Initial Setup and Learning Curve<\/strong>: Requires time to set up and learn how to use effectively.<\/li>\n<li><strong>Maintenance of Queries<\/strong>: Custom queries may need updates as the codebase evolves.<\/li>\n<li><strong>False Positives<\/strong>: May generate false positives that need to be reviewed and addressed.<\/li>\n<li><strong>Integration Effort<\/strong>: Integrating Code QL into existing CI\/CD pipelines can require significant effort.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Debjyoti Ganguly shares insights on the security benefits and configuration of GHAS Code Scanning with Azure DevOps. Boosting Azure DevOps Security with GHAS Code Scanning Code scanning, a pipeline-based tool available in GitHub Advanced Security, is designed to detect code vulnerabilities and bugs within the source code of ADO (Azure DevOps) repositories. Utilizing CodeQL as [&hellip;]<\/p>\n","protected":false},"author":582,"featured_media":42278,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[22,96],"tags":[2571,10658,58],"class_list":["post-42277","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-security","tag-azure-devops","tag-ghas","tag-security"],"acf":[],"blog_post_summary":"<p>Debjyoti Ganguly shares insights on the security benefits and configuration of GHAS Code Scanning with Azure DevOps. Boosting Azure DevOps Security with GHAS Code Scanning Code scanning, a pipeline-based tool available in GitHub Advanced Security, is designed to detect code vulnerabilities and bugs within the source code of ADO (Azure DevOps) repositories. Utilizing CodeQL as [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/42277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=42277"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/42277\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/42278"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=42277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=42277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=42277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}