CodeQL CLI with Jenkins #12451
-
|
It is possible to integrate CodeQL CLI with jenkins? would we need a license? We are tying to use our existing build processes in Jenkins and don't want to have to re-create them if the CLI can be used outside of github actions. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Yes, you can use the CodeQL CLI with Jenkins. To use CodeQL on closed source software you need a GitHub Advanced Security license. With an Advanced Security license you can analyse any GitHub repository with any CI/CD system you like, including Jenkins. Best contact the sales team for the exact terms and conditions of the license. For use of CodeQL on open source code see the license at https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md . For use with automated CI/CD systems such as Jenkins the analysed source code needs to be hosted on GitHub, but otherwise there shouldn't be any additional restrictions. If you analyse things locally then it does not matter where the open source code is hosted. |
Beta Was this translation helpful? Give feedback.
-
|
Is there a setup page on GitHub to integrate CodeQL CLI with jenkins? |
Beta Was this translation helpful? Give feedback.
-
|
I don't know if there are any Jenkins specific instructions available. A quick search pointed me to this blogpost which might be a good starting point: https://github.blog/2022-09-28-best-practices-on-rolling-out-code-scanning-at-enterprise-scale/ The GitHub Codescanning UI ingests alert data in SARIF format through a REST API. It does not matter where the SARIF data comes from. It could be from Actions, Jenkins, your local machine, etc. The SARIF data could be produced by CodeQL or any other static analysis tool that is able to export its results in SARIF format. Using the Codescanning REST API directly is a bit fiddly, therefore we recommend using The simplest way to run CodeQL on Jenkins and upload results would be to download and install CodeQL on your Jenkins runners and running the following commands:
This approach probably does not work for more complex build pipelines where the build consists of separate steps. In such cases you might need "indirect build tracing" to wrap your build steps between an "initialize CodeQL" and a "CodeQL analyze" step , similar to the |
Beta Was this translation helpful? Give feedback.
-
|
How does GitHub know if we have a license for the CLI tool? does it get tied to the access token? |
Beta Was this translation helpful? Give feedback.
-
|
GitHub Advanced Security includes a collection of security related products such as Code scanning, Secret scanning, CodeQL, etc. GitHub checks that a repository has Advanced Security enabled when you upload results. The CodeQL CLI itself does not check the license. If you are using the CodeQL CLI standalone, then it is up to you to validate that your usage is permitted by the license. |
Beta Was this translation helpful? Give feedback.
Yes, you can use the CodeQL CLI with Jenkins. To use CodeQL on closed source software you need a GitHub Advanced Security license. With an Advanced Security license you can analyse any GitHub repository with any CI/CD system you like, including Jenkins. Best contact the sales team for the exact terms and conditions of the license.
For use of CodeQL on open source code see the license at https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md . For use with automated CI/CD systems such as Jenkins the analysed source code needs to be hosted on GitHub, but otherwise there shouldn't be any additional restrictions. If you analyse things locally then it does not matter where the open…