Skip to content

Latest commit

 

History

History
78 lines (45 loc) · 3.94 KB

07_integrate_with_third_party_scanner.md

File metadata and controls

78 lines (45 loc) · 3.94 KB

Integrate with Third Party Scanner

Overview

This demo will integrate with Codacy. Codacy is a static analysis tool that helps developers improve code quality and security. Codacy integrates with GitHub and other source code management systems to provide automated code review and analysis. Codacy can be used to enforce code quality standards, identify security vulnerabilities, and track code quality metrics over time.

Codacy is a third-party tool that requires a subscription. It provides support for more languages than CodeQL. There are many such services as this, this is just an example for this course.

Useful Links

Instructions

Part 1 - Setup Code Repo

IMPORTANT: Only complete this setup if you have not already created this repo in a previous demo.

  1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

  2. Clone the public repo, https://github.com/ewg-atmosera/buffer-overflow-cpp, to your local computer.

    git clone https://github.com/ewg-atmosera/buffer-overflow-cpp

  3. Create a new repo in your GitHub account named buffer-overflow-cpp, and push the clone repo to it.

    git remote add explore-codeql <YOUR GIT REPO URL>
    git push explore-codeql main

Part 2 - Setup & Run Codacy

  1. Click the Actions tab for the buffer-overflow-cpp repo.

  2. In the upper-left, click the New workflow button.

  3. In the Search workflows, type codacy, then hit Enter.

  4. One workflow should appear, Codacy Analysis. Click the Configure button.

  5. Add workflow_dispatch: to the on section.

  6. Review the configuration. You will observe and output option set to "results.sarif", and a format of "sarif". The sarif format is a standard format for static analysis results that can be consumed by many tools.

    Third-party code scanning tools are initiated with a GitHub Action or a GitHub App based on an event in GitHub, like a pull request. The results are formatted as SARIF and uploaded to the GitHub Security Alerts tab. Alerts are then aggregated per tool and GitHub is able to track and suppress duplicate alerts.

  7. In the configuration file you will observe the following line.

    project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}

To call Codacy, you will need to add a secret named CODACY_PROJECT_TOKEN to the repo. To set the project token you will need to generate one on the Codacy website.

  1. At the top of the repo page, click the Settings tab.

  2. In the left-side menu, click Secrets and variables, then click Actions.

  3. Click the New repository secret button.

  4. In the Name field, type CODACY_PROJECT_TOKEN, and copy the token from Codacy into the Secret field. Then, click the Add secret button.

  5. Click on the Actions tab, then click the Codacy Analysis workflow.

  6. Manually run the workflow by clicking the Run workflow button and select the main branch. Review the result. Note the upload sarif task.

  7. Review the code scanning alerts. You will see the alerts from Codacy in the Security tab.

  8. While CodeQL is a powerful tool, it is limited to the languages it supports. Codacy supports many more languages, so it can be used to analyze code that CodeQL cannot. Also, Codacy provides a different set of rules and checks than CodeQL, so it can be used to complement CodeQL analysis.