Merge pull request #20 from Malwarebytes/codeql_pr

Improve CodeQL support
Malwarebytes · Sep 27, 2022 · 26746c6 · 26746c6
2 parents 85af583 + 451f467
commit 26746c6
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 14 deletions.
diff --git a/src/cli.py b/src/cli.py
@@ -299,6 +299,12 @@ def repositories_enable_dependabot(
     "--repository",
     prompt="Repository name",
 )
+@click.option(
+    "-b",
+    "--branch",
+    prompt="Branch name to create",
+    default="appsec-ghas-codeql_enable",
+)
 @click.option(
     "-t",
     "--token",
@@ -311,12 +317,14 @@ def repositories_enable_dependabot(
 )
 @click.option("-o", "--organization", prompt="Organization name", type=str)
 def repositories_create_codeql_pr(
-    repository: str,
-    organization: str,
-    token: str,
+    repository: str, organization: str, token: str, branch: str
 ) -> None:
     """Create a CodeQL PR"""
-    click.echo(repositories.create_codeql_pr(organization, token, repository))
+    click.echo(
+        repositories.create_codeql_pr(
+            organization, token, repository, target_branch=branch
+        )
+    )
 
 
 #########

diff --git a/src/ghas_cli/utils/repositories.py b/src/ghas_cli/utils/repositories.py
@@ -356,27 +356,46 @@ def get_languages(
     return list(lang)
 
 
-def load_codeql_base64_template(language) -> tuple:
+def load_codeql_base64_template(language: str, default_branch: str = "main") -> tuple:
     language = language.lower()
     try:
         with open(f"./templates/codeql-analysis-{language.lower()}.yml", "r") as f:
-            template = f.read()
+            # Ugly af but `yaml` transforms `on:` to `True:` which is obviously annoying to parse Github Actions files..
+            template = f.readlines()
+            template_new = ""
+            for l in template:
+                if l == '    branches: ["main"]\n':
+                    template_new += f"    branches: ['{default_branch}']\n"
+                else:
+                    template_new += l
     except Exception as e:
         with open(f"./templates/codeql-analysis-default.yml", "r") as f:
-            template = f.read()
             language = "default"
-    return language, str(base64.b64encode(template.encode(encoding="utf-8")), "utf-8")
+            template = f.readlines()
+            template_new = ""
+            for l in template:
+                if l == '    branches: ["main"]\n':
+                    template_new += f"    branches: ['{default_branch}']\n"
+                else:
+                    template_new += l
+    return language, str(
+        base64.b64encode(template_new.encode(encoding="utf-8")), "utf-8"
+    )
 
 
-def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
+def create_codeql_pr(
+    organization: str,
+    token: str,
+    repository: str,
+    target_branch: str = "appsec-ghas-codeql_enable",
+) -> bool:
     """
-    1. Retrieve the repository main language. Select the `codeql-analysis.yml` file for that language.
+    1. Retrieve the repository languages. Select the `codeql-analysis.yml` file for that language.
     2. Create a branch
     3. Push a .github/workflows/codeql-analysis.yml to the repository on that branch
-    3. Create an associated issue
+    3. Create an associated PR
     """
     headers = network.get_github_headers(token)
-    target_branch = "appsec-ghas-codeql_enable"
 
     # Get the default branch
     default_branch = get_default_branch(organization, token, repository)
@@ -420,7 +439,7 @@ def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
     )
 
     for language in languages:
-        lang, template = load_codeql_base64_template(language)
+        lang, template = load_codeql_base64_template(language, default_branch)
         payload = {
             "message": f"Enable CodeQL analysis for {language}",
             "content": template,
@@ -438,7 +457,7 @@ def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
     # Create PR
     payload = {
         "title": "Security Code Scanning - configuration files",
-        "body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @Malwarebytes/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.",
+        "body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.",
         "head": target_branch,
         "base": default_branch,
     }