Automation to check and block the build if there are high and critical issues

[karthikboncheruuvu]

Select Topic Area

Question

Body

HI All,

As part of DevSecOps, we were trying to implement build action where if there are any critical and high issues in codebase Build should fail and trigger a mail to end user.

As part of that, i tried the below action file.

'''''''''''''''''''''''''''''''''''''''''''''''
name: "CodeQL"

on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: '45 17 * * 4'

jobs:
analyze:
name: Analyze
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write

strategy:
  fail-fast: false
  matrix:
    language: [ 'javascript' ]
    # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
    # Use only 'java' to analyze code written in Java, Kotlin or both
    # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
    # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Checkout repository
  uses: actions/checkout@v3

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    # If you wish to specify custom queries, you can do so here or in a config file.
    # By default, queries listed here will override any specified in a config file.
    # Prefix the list here with "+" to use these queries and those in the config file.

    # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
    queries: security-extended,security-and-quality


# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
  uses: github/codeql-action/autobuild@v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

#   If the Autobuild fails above, remove it and uncomment the following three lines.
#   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
#     echo "Run, Build Application using script"
#     ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v2
  with:
    category: "/language:${{matrix.language}}"
    
    
- name: Check Vulnerabilities
  id: vulnerabilities
  run: |
    echo "check 1"
    results=$(codeql bqrs decode --format=csv javascript.sarif | awk -F',' '{if($3 == "High" || $3 == "Critical") print}')
    echo "check 2"
    if [ -n "$results" ]; then
      echo "name=has_vulnerabilities::true" >> $GITHUB_STATE
      echo "$results"
    else
      echo "name=has_vulnerabilities::false" >> $GITHUB_STATE
    fi


- name: Check Dependency Issues
  id: dependency_issues
  run: |
    results=$(codeql bqrs decode --format=csv javascript.sarif | awk -F',' '{if($3 == "High" || $3 == "Critical") print}')
    if [ -n "$results" ]; then
      echo "name=has_dependency_issues::true" >> $GITHUB_STATE
      echo "$results"
    else
      echo "name=has_dependency_issues::false" >> $GITHUB_STATE
    fi


- name: Check Secret Issues
  id: secret_issues
  run: |
    results=$(codeql bqrs decode --format=csv javascript.sarif | awk -F',' '{if($3 == "Secret") print}')
    if [ -n "$results" ]; then
      echo "name=has_secret_issues::true" >> $GITHUB_STATE
      echo "$results"
    else
      echo "name=has_secret_issues::false" >> $GITHUB_STATE
    fi


- name: Send Email on Issues
  uses: dawidd6/action-send-mail@v3
  with:
    server_address: XXXXXXx
    server_port: 587
    username: XXXXXX
    password: XXXXXX
    subject: Alert | Code Issues and Secrets Found | ${{ github.event.repository.name }}
    from: XXXXXXXXX
    to: XXXXXXXXX
    body: |
      Hi,


      The following repo has Code issues, dependency vulnerabilities and secrets were found in the code during the CodeQL scan.
      Please review and fix them.

      ${{ github.event.repository.name }}



      Best regards,
      GHAS Alert
      


- name: Fail Build on Issues
  if: steps.vulnerabilities.outputs.has_vulnerabilities == 'true' || steps.dependency_issues.outputs.has_dependency_issues == 'true' || steps.secret_issues.outputs.has_secret_issues == 'true'
  run: exit 1

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

on running above action.yml file, we are getting below error:
/home/runner/work/_temp/5f8d03e3-a8ff-49ed-b4d5-475ff9f6e90d.sh: line 2: codeql: command not found

and they are verifying the vulns count...

can anyone suggest solution for the same or if possible anyone tried to do the same(kindly provide the .yml file which can perform above action)

[aeisenberg]

The codeql is not on the $PATH by default. You can grab the codeql-path output of the init step and add that value to the GITHUB_PATH. It would look something like this:

First, add an id property to the init step id: init. This is used in the new step below, which needs to go after the init step and before you explicitly run any codeql commands.

- name: Put CodeQL on the path
  env:
    CODEQL_PATH: '${{ steps.init.codeql-path }}'
  run: |
    echo "$CODEQL_PATH" >> $GITHUB_PATH

[karthikboncheruuvu]

HI @aeisenberg ,
Thanks for reply..

i tried the below..

Initializes the CodeQL tools for scanning.

- name: Initialize CodeQL
  id: init
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    # If you wish to specify custom queries, you can do so here or in a config file.
    # By default, queries listed here will override any specified in a config file.
    # Prefix the list here with "+" to use these queries and those in the config file.

    # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
    queries: security-extended,security-and-quality
    
- name: Put CodeQL on the path
  env:
   CODEQL_PATH: '${{ steps.init.codeql-path }}'
  run: |
   echo "$CODEQL_PATH" >> $GITHUB_PATH
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
  uses: github/codeql-action/autobuild@v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

#   If the Autobuild fails above, remove it and uncomment the following three lines.
#   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
#     echo "Run, Build Application using script"
#     ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v2
  with:
    category: "/language:${{matrix.language}}"
    
    
- name: Check Vulnerabilities
  id: vulnerabilities
  run: |
    echo "check 1"
    results=$(CODEQL_PATH bqrs decode --format=csv javascript.sarif | awk -F',' '{if($3 == "High" || $3 == "Critical") print}')
    echo "check 2"
    if [ -n "$results" ]; then
      echo "name=has_vulnerabilities::true" >> $GITHUB_STATE
      echo "$results"
    else
      echo "name=has_vulnerabilities::false" >> $GITHUB_STATE
    fi

even now its the same error..let me know if i missed anything..
/home/runner/work/_temp/a80d46f1-2b3e-4f3c-9940-058ebff4d0d0.sh: line 1: CODEQL_PATH: command not found

[aeisenberg]

Can you add a line Put CodeQL on the path step:

echo $CODEQL_PATH

I may have given you incomplete information. It might be that codeql-path is the full path to the executable, but $GITHUB_PATH expects a directory. Please verify, but you may need to change echo "$CODEQL_PATH" >> $GITHUB_PATH to echo "$CODEQL_PATH" >> $GITHUB_PATH to dirname "$CODEQL_PATH" >> $GITHUB_PATH.

[karthikboncheruuvu]

was the below expected...sorry i am bad at codeql coding..

• name: Put CodeQL on the path
  echo $CODEQL_PATH
  env:
  CODEQL_PATH: '${{ steps.init.codeql-path }}'

  run: |
  echo dirname "$CODEQL_PATH" >> $GITHUB_PATH

  it didnot give output
  

[aeisenberg]

It's hard to tell what you actually wrote since whitespace and formatting are important here. In the future, please use three backticks to delineate fenced code blocks.

This is what I was suggesting:

- name: Put CodeQL on the path
  env:
   CODEQL_PATH: '${{ steps.init.codeql-path }}'
  run: |
   echo "Path to executable: $CODEQL_PATH"
   dirname "$CODEQL_PATH" >> $GITHUB_PATH

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬