Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve CodeQL support #20

Merged
merged 2 commits into from
Sep 27, 2022
Merged

Improve CodeQL support #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0136b8
(Missing changes..)
jboursier-mwb Sep 27, 2022
451f467
Ugly hack to workaround the `yaml` parsing issue with `on:` keywords
jboursier-mwb Sep 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions src/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,12 @@ def repositories_enable_dependabot(
"--repository",
prompt="Repository name",
)
@click.option(
"-b",
"--branch",
prompt="Branch name to create",
default="appsec-ghas-codeql_enable",
)
@click.option(
"-t",
"--token",
Expand All @@ -311,12 +317,14 @@ def repositories_enable_dependabot(
)
@click.option("-o", "--organization", prompt="Organization name", type=str)
def repositories_create_codeql_pr(
repository: str,
organization: str,
token: str,
repository: str, organization: str, token: str, branch: str
) -> None:
"""Create a CodeQL PR"""
click.echo(repositories.create_codeql_pr(organization, token, repository))
click.echo(
repositories.create_codeql_pr(
organization, token, repository, target_branch=branch
)
)


#########
Expand Down
39 changes: 29 additions & 10 deletions src/ghas_cli/utils/repositories.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,27 +356,46 @@ def get_languages(
return list(lang)


def load_codeql_base64_template(language) -> tuple:
def load_codeql_base64_template(language: str, default_branch: str = "main") -> tuple:
language = language.lower()
try:
with open(f"./templates/codeql-analysis-{language.lower()}.yml", "r") as f:
template = f.read()
# Ugly af but `yaml` transforms `on:` to `True:` which is obviously annoying to parse Github Actions files..
template = f.readlines()
template_new = ""
for l in template:
if l == ' branches: ["main"]\n':
template_new += f" branches: ['{default_branch}']\n"
else:
template_new += l
except Exception as e:
with open(f"./templates/codeql-analysis-default.yml", "r") as f:
template = f.read()
language = "default"
return language, str(base64.b64encode(template.encode(encoding="utf-8")), "utf-8")
template = f.readlines()
template_new = ""
for l in template:
if l == ' branches: ["main"]\n':
template_new += f" branches: ['{default_branch}']\n"
else:
template_new += l
return language, str(
base64.b64encode(template_new.encode(encoding="utf-8")), "utf-8"
)


def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
def create_codeql_pr(
organization: str,
token: str,
repository: str,
target_branch: str = "appsec-ghas-codeql_enable",
) -> bool:
"""
1. Retrieve the repository main language. Select the `codeql-analysis.yml` file for that language.
1. Retrieve the repository languages. Select the `codeql-analysis.yml` file for that language.
2. Create a branch
3. Push a .github/workflows/codeql-analysis.yml to the repository on that branch
3. Create an associated issue
3. Create an associated PR
"""
headers = network.get_github_headers(token)
target_branch = "appsec-ghas-codeql_enable"

# Get the default branch
default_branch = get_default_branch(organization, token, repository)
Expand Down Expand Up @@ -420,7 +439,7 @@ def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
)

for language in languages:
lang, template = load_codeql_base64_template(language)
lang, template = load_codeql_base64_template(language, default_branch)
payload = {
"message": f"Enable CodeQL analysis for {language}",
"content": template,
Expand All @@ -438,7 +457,7 @@ def create_codeql_pr(organization: str, token: str, repository: str) -> bool:
# Create PR
payload = {
"title": "Security Code Scanning - configuration files",
"body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @Malwarebytes/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.",
"body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.",
"head": target_branch,
"base": default_branch,
}
Expand Down