Integrating CodeScan with GitHub Actions

The creation of a project in CodeScan creates a webhook in GitHub. This webhook triggers on pushes to your tracked branch and certain pull request actions. These are: pull request opened, reopened, synchronized.

The pull request triggers allow your comparisons in CodeScan to be kept up to date if the pull request is updated.

Running CodeScan SCA jobs from GitHub Workflow

You can now run CodeScan static code analysis (SCA) jobs from GitHub workflow. The CodeScan action will produce a SARIF report file with the analysis result.

There are only a few lines to add to your .YML file for CodeScan to be triggered.

First, you'll need to add your CodeScan token as a variable you can access in your .YML file.

• Open your project and navigate to Repository Settings > Secrets > Add new secret.

• Add your token with the name codescan_token and check the Secured box. To learn how to generate a token, refer HERE.

Now you'll be able to access this variable by using $codescan_token in your .YML file.

If you do not have a workflow setup on your GitHub repository, go to Actions > New workflow to create a .yml workflow.

Add the following into your .YML file in the workflow:

name: CI 
on: 
  push: 
    branches: [main] 
  pull_request: 
    branches: [main] 
jobs: 
  build: 
    runs-on: ubuntu-latest 
    steps: 
      - name: Checkout repository 
        uses: actions/checkout@v4
      - name: Cache files 
        uses: actions/cache@v4
        with: 
            path: | 
                ~/.sonar 
            key: ${{ runner.os }}-sonar 
            restore-keys: ${{ runner.os }}-sonar 
      - name: Run Codescan On Push 
        if: github.event_name == 'push' 
        uses: codescan-io/codescan-scanner-action@1.6
        with: 
          organization: ‘Enter organization key here’ 
          projectKey: ‘Enter project key here’ 
          login: ${{ secrets.codescan_token }} 
          generateSarifFile: true 
          failOnRedQualityGate: true 
      - name: Run Codescan On PR 
        if: github.event_name == 'pull_request' 
        uses: codescan-io/codescan-scanner-action@1.6
        with: 
          organization: ‘Enter organization key here’ 
          projectKey: ‘Enter project key here’ 
          login: ${{ secrets.codescan_token }} 
          scanChangedFilesOnly: true 
          generateSarifFile: true 
          failOnRedQualityGate: true 
          args: | 
            sonar.pullrequest.branch=${{github.head_ref}} 
            sonar.pullrequest.base=${{github.base_ref}} 
            sonar.pullrequest.key=${{github.event.number}} 
      - name: Upload SARIF file 
          uses: github/codeql-action/upload-sarif@v3 
          with: 
            sarif_file: codescan.sarif 
             - name: Archive code coverage results
          uses: actions/upload-artifact@v4
          with:
            name: codescan.sarif
            path: codescan.sarif  

You will need to replace the placeholder variables (in single quotes) in the env section of the script with your Project Key and Organization Key.

generateSarifFile parameter controls the generation of the SARIF report in the worker. When it is true the SARIF file will be generated by the worker and include all issues in the files scanned. When it is false, the SARIF file is generated from the server. This takes all issue resolutions (Won't Fix, False Positive) into account and returns only unresolved issues. It is available on CodeScan scanner action version 1.3 and later.

failOnRedQualityGate parameter default status is set to false. When set to true, the pipeline in the GitHub actions fails if the Quality Gate state changes to red (fails).

The failOnRedQualityGate parameter is available on CodeScan scanner action version 1.4 and later.

scanChangedFilesOnly parameter is set to false by default. When set to true, the scan will only take changed files into account.

The scanChangedFilesOnly parameter will only work on a pull request trigger. It is available on CodeScan scanner action version 1.5 and later.

Now, you will be able to view the .yml workflow on your repository.

Also check for the name of the master branch on both the CodeScan platform and the Git repository, as the new Git update changes the name of master branch to main.

If the name on the CodeScan platform is not the same as the Git repository, go to your CodeScan project and then navigate to Dashboard > Administration > Branches & Pull Requests > Actions and change the branch name.

The branch names and comparisons are set by the following parameters:

• sonar.pullrequest.key: The pull request number

• sonar.pullrequest.base: The comparison branch for pull request type branches

• sonar.pullrequest.branch: The name of the branch

The uploaded SARIF file in the .yml helps you to get the code analysis reports in two ways:

1. For the files already existing in the repository, results can be found under code scanning alerts under the Security tab on GitHub repository.

1. For the new files being uploaded to the repository, you can view the analysis during the pull requests on GitHub by clicking on the details:

   • Select the relevant pull request and then click on Details.

   • Once you click on the Details, go to Code scanning results > CodeScan.

   • Results are categorized as follows:

     1. Bugs and vulnerabilities are marked as ERRORS.

     2. Major and minor code smells are marked as WARNINGS.

The .yml file helps you run an analysis on the project while linking it to CodeScan.

You can go to the CI workflow under Git actions to view the analysis.