-
Notifications
You must be signed in to change notification settings - Fork 16
feat(codeql): add CodeQL enablement check as a dedicated extension #876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
adb5b35
2eea6ef
67e8afb
88d7d8a
0ec5589
dcf43ce
828605a
5058a66
bd2707d
522c5a5
28f8d97
c31f615
c7d8eef
bb92746
e0a5841
e09c4c1
365c4f5
34f0a4c
f7a9641
33a13a7
4722c6c
bf8e460
eb70e47
68e9326
0d2d53a
ad731fd
c8e64ba
c74b893
1fdbf25
ec1260a
e728ff4
3eac408
fdf6931
8d883a8
375b054
490b53f
20bad69
e5bb00b
4d06010
77742ce
dc1c7ed
29b723e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -516,6 +516,41 @@ extensions_cfg: | |
| # - warning: skip processing and log a warning message (default) | ||
| on_unsupported: warning | ||
|
|
||
| # @param extensions_cfg.codeql worker which checks whether GitHub Advanced Security CodeQL is | ||
| # enabled for each OCM source artefact and creates findings for languages that are configured but | ||
| # not actively scanned | ||
| codeql: | ||
| # @param extensions_cfg.codeql.enabled allows disabling of extension without removing its | ||
| # configuration | ||
| enabled: true | ||
| # @param extensions_cfg.codeql.delivery_service_url url to access the delivery-service (cluster | ||
| # internal url is sufficient) | ||
| # e.g. | ||
| # delivery_service_url: http://delivery-service.<namespace>.svc.cluster.local:8080 | ||
| delivery_service_url: "" | ||
| # @param extensions_cfg.codeql.interval time (in seconds) after which a component should be | ||
| # re-checked the latest | ||
| interval: 86400 # 24h | ||
| # @param extensions_cfg.codeql.languages list of programming languages to check CodeQL coverage | ||
| # for. A finding is emitted for each language that is present in the repository but not actively | ||
| # scanned by CodeQL. Use the language names as returned by the GitHub repository languages API | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please add a link to github-api docs to make it easier for consumers to check allowed values
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
why do we need an explicit user-managed list of relevant languages at all?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The languages config list exists because CodeQL does not support all programming languages. For example, a repository may contain YAML, Dockerfile, or Shell - all of which would appear in the GitHub Instead, operators configure the languages their organisation requires SAST coverage for once, e.g.: The extension then only creates findings for those languages. The
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. from end-user perspective, wouldn't I by default rather want to have all CodeQL findings and optionally exclude languages? I am afraid that with the current approach someone performs a one time assessment of used languages, configures them for the entire extension, and repository adapting new languages will not be covered. wdyt?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hmm, actually excluding those languages make a lot of sense. good catch, i'll adjust the code. |
||
| # (e.g. 'go', 'python', 'javascript'). The extension automatically handles CodeQL-specific | ||
| # language identifiers (e.g. maps 'javascript-typescript' back to 'javascript'). | ||
| # e.g. | ||
| # languages: | ||
| # - go | ||
| # - python | ||
| # - javascript | ||
| languages: | ||
| - "" | ||
| # @param extensions_cfg.codeql.on_unsupported behaviour in case the detected artefact | ||
| # kind/type/access is not supported | ||
| # options: | ||
| # - fail: raise an exception | ||
| # - ignore: skip processing | ||
| # - warning: skip processing and log a warning message (default) | ||
| on_unsupported: warning | ||
|
|
||
| # @param extensions_cfg.issue_replicator worker which takes care of the GitHub issue lifecycle for | ||
| # detected findings | ||
| issue_replicator: | ||
|
|
@@ -1163,6 +1198,7 @@ features_cfg: | |
| findings: | ||
| # @param findings[].type type of finding this configuration is used for | ||
| # options: | ||
| # - finding/codeql | ||
| # - finding/crypto | ||
| # - finding/diki | ||
| # - finding/falco | ||
|
|
@@ -1543,6 +1579,7 @@ profiles: | |
| # @param profiles[].finding_types list of finding types which should be displayed for users who | ||
| # selected this profile in the delivery-dashboard | ||
| # options: | ||
| # - finding/codeql | ||
| # - finding/crypto | ||
| # - finding/diki | ||
| # - finding/falco | ||
|
|
||
|
8R0WNI3 marked this conversation as resolved.
|
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| apiVersion: v2 | ||
| name: codeql | ||
| version: 0.1.0 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| {{- $podName := "codeql" }} | ||
|
|
||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: {{ $podName }} | ||
| namespace: {{ .Values.target_namespace | default .Release.Namespace }} | ||
| {{- if default dict (.Values.deployment).annotations }} | ||
| annotations: | ||
| {{- range $annotation, $value := .Values.deployment.annotations }} | ||
| {{ $annotation }}: {{ $value }} | ||
| {{- end }} | ||
| {{- end }} | ||
| spec: | ||
| replicas: 0 # will be scaled automatically by backlog-controller | ||
| selector: | ||
| matchLabels: | ||
| app: {{ $podName }} | ||
| delivery-gear.gardener.cloud/service: codeql | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: {{ $podName }} | ||
| delivery-gear.gardener.cloud/service: codeql | ||
| spec: | ||
| topologySpreadConstraints: | ||
| - maxSkew: 1 | ||
| topologyKey: kubernetes.io/hostname | ||
| whenUnsatisfiable: ScheduleAnyway | ||
| labelSelector: | ||
| matchLabels: | ||
| app: {{ $podName }} | ||
| terminationGracePeriodSeconds: 300 # 5 min | ||
| containers: | ||
| - name: {{ $podName }} | ||
| image: {{ include "image" .Values.global.image }} | ||
| imagePullPolicy: IfNotPresent | ||
| command: | ||
| - python3 | ||
| - -m | ||
| - codeql | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| env: | ||
| - name: SECRET_FACTORY_PATH | ||
| value: /secrets | ||
| - name: EXTENSIONS_CFG_PATH | ||
| value: /extensions_cfg/extensions_cfg | ||
| - name: FINDINGS_CFG_PATH | ||
| value: /findings_cfg/findings_cfg | ||
| - name: OCM_REPO_MAPPINGS_PATH | ||
| value: /ocm_repo_mappings/ocm_repo_mappings | ||
| - name: K8S_TARGET_NAMESPACE | ||
| value: {{ .Values.target_namespace | default .Release.Namespace }} | ||
| volumeMounts: | ||
| - name: github | ||
| mountPath: /secrets/github | ||
| - name: github-app | ||
| mountPath: /secrets/github-app | ||
| - name: extensions-cfg | ||
| mountPath: /extensions_cfg | ||
| - name: findings-cfg | ||
| mountPath: /findings_cfg | ||
| - name: ocm-repo-mappings | ||
| mountPath: /ocm_repo_mappings | ||
| readOnly: true | ||
| lifecycle: | ||
| preStop: | ||
| exec: | ||
| command: | ||
| - sleep | ||
| - "60" | ||
| resources: | ||
| requests: | ||
| memory: 100Mi | ||
| cpu: 250m | ||
| limits: | ||
| memory: 300Mi | ||
| cpu: 500m | ||
| volumes: | ||
| - name: github | ||
| secret: | ||
| secretName: secret-factory-github | ||
| optional: true | ||
| - name: github-app | ||
| secret: | ||
| secretName: secret-factory-github-app | ||
| optional: true | ||
| - name: extensions-cfg | ||
| configMap: | ||
| name: extensions-cfg | ||
| - name: findings-cfg | ||
| configMap: | ||
| name: findings-cfg | ||
| - name: ocm-repo-mappings | ||
| configMap: | ||
| name: ocm-repo-mappings | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: allow-egress-from-codeql | ||
| namespace: {{ .Values.target_namespace | default .Release.Namespace }} | ||
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| app: {{ $podName }} | ||
| policyTypes: | ||
| - Egress | ||
| egress: | ||
| - {} # Allows all egress traffic to any destination and port |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are there also other cases where the extension creates findings, e.g. if codeql is not enabled at all?