运行使用 CodeQL/GHAS SAST 扫描的 precommit 钩子吗?

huangapple
go评论43阅读模式
英文:

running precommit hooks with codeql/GHAS sast scans?

问题

我刚开始使用CodeQL,开发人员要求我们将CodeQL SAST扫描作为precommit hooks。我找不到关于如何在我的机器上设置CodeQL运行的文档。

额外的上下文(回答下面的问题):

  1. 开发人员的笔记本电脑上没有安装CodeQL(Windows和Mac)。
  2. 我还希望自动安装CodeQL CLI。
  3. 阅读文档,看起来我还需要一个CodeQL数据库-那个设置可以自动化吗?

实质上,我希望安装对于开发人员来说“几乎”是透明的,他们的一方面工作需要的努力是最小化的。

英文:

I'm just getting started with CodeQL and we have a requirement from our devs to CodeQL sast scans as precommit hooks. I could not find any docs on how to set up CodeQL to make it run on my machine.

Additional context (to answer questions below):

  1. Devs will not have CodeQL installed on their laptops (windows and mac)
  2. I would like to also automate the installation of CodeQL CLI
  3. reading the docs, looks like I also need a CodeQL database- can that setup be automated?

In essense, I would like to make the install "almost" transparent to the devs with minimal effort needed on their side.

答案1

得分: 1

与您的另一个问题类似,这可能是不可能的(但如果有疑问,请联系GitHub Enterprise支持)。

一些潜在的问题:

  • CodeQL许可证只允许用于开源项目和学术研究,如需商业用途,请联系GitHub销售团队
  • CodeQL分析是在为项目创建的CodeQL数据库上执行的。该数据库是通过构建完整项目或其中的部分来创建的,并且必须对您对项目所做的每个更改重复创建。目前尚不支持增量创建数据库。通常情况下,这比不使用CodeQL进行项目构建要慢。
  • 即使您只更改了项目中的几行代码,CodeQL分析也是针对整个数据库执行的。虽然正在进行支持增量分析的研究,但目前尚不可用。因此,执行完整数据库的分析所需的时间也可能不适合用作预提交挂钩。
  • CodeQL CLI二进制文件目前仅发布在GitHub上GitHub工作流程操作中。据我所知,它们未发布到任何Linux软件包存储库或类似的地方。因此,您需要自己处理安装和更新CodeQL CLI。

如果您正在GitHub上创建开源项目,或者您的公司正在使用GitHub进行开发,那么最简单的方法是设置使用CodeQL进行代码扫描,而不是尝试在本地设置。

英文:

Similar to your other question, this is probably not possible (but in doubt contact GitHub Enterprise support).

A few potential issues:

  • The CodeQL license only allows usage for open source projects and academic research, for commercial use contact the GitHub sales team.
  • CodeQL analysis is performed on a CodeQL database created for the project. That database is created by building the complete project or parts of it, and has to be repeated for every change you make to your project. Incremental creation of databases is currently not possible. Typically this is also slower than a normal build without CodeQL of a project.
    The time needed to create a database is probably unacceptable for usage as pre-commit hook.
  • CodeQL analysis is performed for the complete database, even if you only changed a few lines in your project. There is research happening to support incremental analysis, but this is currently not available yet.
    The time needed to perform a full analysis of the database is therefore probably also unacceptable for usage as pre-commit hook.
  • CodeQL CLI binaries are currently only published on GitHub and as GitHub workflow action. They are (to my knowledge) not published to any Linux package repositories or similar. So you would have to handle installation and updating of CodeQL CLI yourself.

If you are creating an open source project on GitHub, or if your company is using GitHub for development, then it would be easiest to setup code scanning with CodeQL, instead of trying to set up something locally.

huangapple
  • 本文由 发表于 2023年5月26日 00:24:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/76334423.html
  • codeql
  • pre-commit
  • pre-commit-hook
  • sast
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定