Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/advanced-security/gh-codeql-scan
GH CLI CodeQL Scan Extension
https://github.com/advanced-security/gh-codeql-scan
Last synced: about 1 month ago
JSON representation
GH CLI CodeQL Scan Extension
- Host: GitHub
- URL: https://github.com/advanced-security/gh-codeql-scan
- Owner: advanced-security
- License: mit
- Created: 2022-08-09T16:48:58.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-10-24T14:50:23.000Z (about 1 year ago)
- Last Synced: 2024-04-14T11:43:01.429Z (8 months ago)
- Language: Shell
- Size: 37.1 KB
- Stars: 16
- Watchers: 2
- Forks: 4
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-codeql - gh-codeql-scan - GH CLI CodeQL Scan Extension (CodeQL CLI Tooling)
README
gh-codeql-scan
[![GitHub](https://img.shields.io/badge/github-%23121011.svg?style=for-the-badge&logo=github&logoColor=white)][github]
[![GitHub Issues](https://img.shields.io/github/issues/advanced-security/gh-codeql-scan?style=for-the-badge)][github-issues]
[![GitHub Stars](https://img.shields.io/github/stars/advanced-security/gh-codeql-scan?style=for-the-badge)][github]
[![License](https://img.shields.io/github/license/advanced-security/gh-codeql-scan?style=for-the-badge)][license][GitHub CLI CodeQL Scan Extension][github] to help abstract [CodeQL][codeql] away from users.
Motivation
This project was created to make the lives of users that use CodeQL simpiler.
CodeQL outside of GitHub Actions can be complicated but this projects aim is to make it as simple as possible.## Requirements
- [GitHub CLI](https://cli.github.com/)
- [CodeQL GH Extension][gh-codeql] (optional)## Install and Setup
This installs CodeQL and this scan tool:
```bash
gh extensions install github/gh-codeql
gh extensions install advanced-security/gh-codeql-scangh codeql-scan --help
```CLI Help
GitHub CodeQL Scan toolgh codeql-scan {MODE} {ARGS}
# Modes
gh codeql-scan # default: "scan"
gh codeql-scan init # initialise the scan
gh codeql-scan analyze # run the analysis
gh codeql-scan upload # upload present SARIF files
gh codeql-scan scan # full end-to-end scan# Arguments
> All arguments can be set with enviroment variables
-h|--help # Print help
--debug # Enable debugging
-r=*|--repo=* # GitHub Respository (OWNER/NAME)
-i=*|--instance=* # GitHub Instance (github.com or Enterprise Server)-l=*|--language=* # Set language to scan
--auto-detect # Auto-detect languages-s=*|--suite=* # Query Suite to use
-d=*|--databases=* # Location of the databases to store
-b=*|--binary=* # Path to the CodeQL Binary
-w=*|--workspace=* # Workspace for the souce code-c=*|--command=* # Set the build comment (compiled languages)
-m=*|--mode=* # Build mode (autobuild | none)
--buildless # Enable buildless / build mode none--view-in-vscode # Auto-open the results in VSCode
--disable-tracing # Disable Build Tracing
--disable-trap-caching # Disable Trap file caching
--disable-upload # Disable Uploading SARIF to GitHub
--disable-banner # Disable printing banner### Alias / Stub
A couple of tips and tricks:
```bash
# Create an alias to make things even easier
alias codeql-scan="gh codeql-scan"
```## Usage
The main use of the script is to automatically run CodeQL in a number of modes.
```bash
# End-to-end analysis and upload results
gh codeql-scan
```#### Initialise with language
Automatically detect languages or manually set the language to create an initial CodeQL database.
```bash
gh codeql-scan init --auto-detect
# or manually set language
gh codeql-scan init -l=java
```#### Scan without build
This will scan your code in build mode `none`.
```bash
gh codeql-scan -m="none"
# or simply
gh codeql-scan --buildless
```#### Scan with Build Command
Pass in the build command for a compiled language and it will be run along with CodeQL.
```bash
gh codeql-scan -c "mvn build ..."
```#### Indirect build tracing
For Compiled languages, complicated build process using indirect build tracing
```bash
gh codeql-scan init
echo "password=$password" > settings.xml
mvn build --random-custom=flags
gh codeql-scan analyze
```#### Running analysis
Run query-suites on an existing database (auto-detects databases)
```bash
gh codeql-scan analyze
```#### Uploading results to GitHub
The `upload` mode will upload all SARIF files for you to a repository
```bash
gh codeql-scan upload
```## Maintainers
- @GeekMasher
## Support / Maintainance
Support is via [GitHub Issues][github-issues]
## License
This project is licensed under the terms of the MIT open source license.
Please refer to [MIT][license] for the full terms.[license]: ./LICENSE
[github]: https://github.com/advanced-security/gh-codeql-scan
[github-issues]: https://github.com/advanced-security/gh-codeql-scan/issues
[codeql]: https://codeql.github.com/
[gh-codeql]: https://github.com/github/gh-codeql