Github Advanced Security for Azure DevOps : CodeQL analyzer not working

Question

Anyone has any experience with «GitHub Advanced Security for Azure DevOps»?

https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml

I configured everything as described. But I can't get the «Perform CodeQL analysis» working. and it's failing all the time for a simple hello world .net 6 c# app. I tried with existing with existing c#-repo, and created a new repo, but still getting the same error.

The «Dependency scanning» on the other hand works as expected on the c#-repo. So the configuration isn't that wrong...

So: anyone any idea? Or got that thing up and running? Or has a example repo which should trigger the alerts?

Any help is appreciated!

Answer 1

Find an example repo here: ghas-demo designed for GitHub workflows. However, it also applies to Azure DevOps.

Just import the repo to DevOps, then create a Yaml pipeline by following the steps mentioned in Configure GitHub Advanced Security for Azure DevOps

For example:

pool:
  vmImage: ubuntu-latest

steps:

- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    languages: 'java'

- task: AdvancedSecurity-Codeql-Autobuild@1

- task: AdvancedSecurity-Dependency-Scanning@1

- task: AdvancedSecurity-Codeql-Analyze@1

Check for the alerts after the pipeline completion.

Answer 2

csharp-security-extended.qls is not a .ql file, .qls file, a directory, or a query pack specification.

For self hosted machines, ensure that you follow the steps here to install the CodeQL bundle. If you happened to just install the CodeQL CLI without the bundle then the query packs are not downloaded/installed. Otherwise, make sure the build service account has Read / Write / Execute permissions to this folder.