Published on

Install CodeQL in Azure pipeline or VM scale set

Authors
  • avatar
    Name
    Alexander Arana Escobedo
    Twitter

Navigate to the pipeline for guidance on installing CodeQL on your self-hosted agents. Additionally, you can install CodeQL directly on an Azure VM Scale Set using this cloud-init script.

If you are new to the .NET world, you can continue reading to get more understanding of how to get started with a .NET application 🤓.

🚀Getting Started

Here are some steps to follow if you are a little bit unsure about how to create a basic .NET application and push the code to Azure DevOps. Enjoy!

Create a .NET 8 web application


#To install .NET 8, copy the link -> https://dotnet.microsoft.com/en-us/download/dotnet/8.0

#This command is used to create a new project using a template in .NET.
dotnet new webapp -f net8.0

#Creates a .gitignore for .NET applications.
dotnet new gitignore

#Used to build and run your .NET project.
dotnet run

Connect a local Git repo to an Azure Repos Git repo

git init -b main
git remote add origin <clone URL> 
git add -A
git commit -am "initial commit"
git push --set-upstream origin main

Setting up Git to authenticate with GitHub when you have 2-factor authentication enabled with GitHub CLI

I have had some problems authenticating against GitHub with a new email address. What I did was follow the steps below to solve the issue.

  1. How to logout from git in windows
  2. Install GitHub CLI

Azure pipeline

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- none

pool: <POOL_NAME>

steps:
  - task: PowerShell@2
    displayName: Install CodeQl bundle
    inputs:
      targetType: 'inline'
      script: |
    
        "[*] Define variables"
        $agentToolDirectory = $env:AGENT_TOOLSDIRECTORY
        $codeqlDirectory = Join-Path -Path $agentToolDirectory -ChildPath "CodeQL"
        $codeqlReleaseBundleTag = "codeql-bundle-v2.15.1"  # Change this to the desired release tag
        $codeqlVersionedDirectory = Join-Path -Path $codeqlDirectory -ChildPath "0.0.0-$codeqlReleaseBundleTag/x64"
        $completeFilePath = Join-Path -Path $codeqlDirectory -ChildPath "0.0.0-$codeqlReleaseBundleTag/x64.complete"
        
        "[*] Step 1: Download the latest CodeQL release bundle from GitHub"
        $codeqlReleaseUrl = "https://github.com/github/codeql-action/releases/download/$codeqlReleaseBundleTag/codeql-bundle-linux64.tar.gz"
        $codeqlBundleTarGzPath = Join-Path -Path $agentToolDirectory  -ChildPath "codeql-bundle.tar.gz"
        Invoke-WebRequest -Uri $codeqlReleaseUrl -OutFile $codeqlBundleTarGzPath

        "[*] Step 2: Extract the bundle"
        New-Item -Path $codeqlVersionedDirectory -ItemType Directory -Force
        tar -xvzf  $codeqlBundleTarGzPath -C $codeqlVersionedDirectory
      
        "[*] Step 3: Create an empty file"
        New-Item -Path $completeFilePath -ItemType File -Force

        "[*] Cleanup: Remove the downloaded zip file"
        Remove-Item -Path $codeqlBundleTarGzPath

  - task: AdvancedSecurity-Codeql-Init@1
    displayName: GHAzDo codeql init
    inputs:
      languages: "csharp"

  #- task: AdvancedSecurity-Codeql-Autobuild@1
  #  displayName: GHAzDo codeql auto build

  # It's possible that the the autobuild step does not execute, specifically if you are scanning a language like cpp, java, csharp, or swift.
  # If the above does not execute correctly, you can replace the Autobuild task with your customized build. E.g.:

  # If you had a Maven app:
  #   - task: Maven@4
  #     inputs:
  #       mavenPomFile: 'pom.xml'
  #       publishJUnitResults: true
  #       testResultsFiles: '**/TEST-*.xml'
  #       javaHomeOption: 'JDKVersion'
  #       jdkVersionOption: '1.17'
  #       mavenVersionOption: 'Default'

  # Or a general script:
  #   - script: |
  #       echo "Run, Build Application using script"
  #       ./location_of_script_within_repo/buildscript.sh

  - task: UseDotNet@2
    displayName: 'Use .NET Core sdk 7.0.x'
    inputs:
      packageType: 'sdk'
      version: '7.0.x'
  - task: DotNetCoreCLI@2
    displayName: Build .NET web app
    inputs:
      command: 'build'
      projects: '**/*.csproj'
  - task: AdvancedSecurity-Dependency-Scanning@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-dependency-scanning-v1?view=azure-pipelines
    displayName: GHAzDo dependency scanning
  - task: AdvancedSecurity-Codeql-Analyze@1 # More details on this task: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/advanced-security-codeql-analyze-v1?view=azure-pipelines
    displayName: GHAzDo codeql analyze

Cloud init script

#cloud-config

#Update all packages on first boot
package_update: true
package_upgrade: true

#Install basic packages
packages:
  - htop
  - git
  - curl

#Does not need to be used because of the extension AADSSHLoginForLinux!
#Create default user and set up SSH keys.
#users:
#  - default
#  - name: <username>
#    sudo: ['ALL=(ALL) NOPASSWD:ALL']
#    groups: sudo
#    shell: /bin/bash
#    ssh-authorized-keys:
#      - <your-ssh-public-key>

#Run custom commands
runcmd:
  #Install Azure CLI
  - curl -sL https://aka.ms/InstallAzureCLIDeb | bash

  # CodeQL Installation
  - codeqlReleaseBundleTag="codeql-bundle-v2.15.1" 
  - agentToolDirectory="/agent/_work/_tool"
  - codeqlDirectory="$agentToolDirectory/CodeQL"
  - codeqlVersionedDirectory="$codeqlDirectory/0.0.0-$codeqlReleaseBundleTag/x64"
  - codeqlBundleTarGzPath="$agentToolDirectory/codeql-bundle.tar.gz"
  - codeqlReleaseUrl="https://github.com/github/codeql-action/releases/download/$codeqlReleaseBundleTag/codeql-bundle-linux64.tar.gz"
  - sudo mkdir -p $codeqlVersionedDirectory
  - sudo wget $codeqlReleaseUrl -O $codeqlBundleTarGzPath
  - sudo tar -xvzf $codeqlBundleTarGzPath -C $codeqlVersionedDirectory
  - sudo touch $codeqlDirectory/0.0.0-$codeqlReleaseBundleTag/x64.complete

  # Install Docker
  - apt-get update
  - apt-get install -y apt-transport-https ca-certificates curl software-properties-common
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  - apt-get update
  - apt-get install -y docker-ce docker-ce-cli containerd.io

  # Enable Docker BuildKit
  - echo '{"features":{"buildkit":true}}' > /etc/docker/daemon.json
  - systemctl restart docker

  # Install Docker Compose
  - apt-get install -y docker-compose

  # Install PowerShell Core
  - apt-get install -y wget
  - wget -q "https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb"
  - dpkg -i packages-microsoft-prod.deb
  - apt-get update
  - apt-get install -y powershell

References:

GitHub Link

Configure GitHub Advanced Security for Azure DevOps

Azure DevOps - Create a new Git repo

Instructions for setting up git to authenticate with GitHub when you have 2-factor authentication set up

Discuss on X