AdvancedSecurity-Codeql-Init@1 - Advanced Security Initialize CodeQL v1 task

Initializes the CodeQL database in preparation for building.

You must have GitHub Advanced Security for Azure DevOps enabled for the repository being scanned.

Syntax

# Advanced Security Initialize CodeQL v1
# Initializes the CodeQL database in preparation for building.
- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    #enableAutomaticCodeQLInstall: false # boolean. Enable automatic CodeQL detection and installation. Default: false.
    #languages: # 'csharp' | 'cpp' | 'go' | 'java' | 'javascript' | 'python' | 'ruby' | 'swift'. Languages to analyze. 
    #querysuite: 'Select a query suite...' # 'Select a query suite...' | 'code-scanning' | 'security-extended' | 'security-experimental' | 'security-and-quality'. CodeQL Query Suite to use for analysis. Default: Select a query suite....
    #buildtype: 'Manual' # 'Manual' | 'None'. Select build mode (manual vs none). Default: Manual.
  # Advanced
    #ram: # string. Options to control RAM usage in MB. 
    #threads: # string. Use this many threads to evaluate queries. 
    #codeqlpathstoignore: # string. Set a list of paths to exclude in the CodeQL analysis. 
    #codeqlpathstoinclude: # string. Set a list of additional paths to include in the CodeQL analysis. 
    #sourcesfolder: # string. Sets the folder that contains the sources to be analyzed. 
    #loglevel: '_' # '0' | '1' | '2' | '_'. Set the log level for the CodeQL analysis. Default: _.
    #configfilepath: # string. Use this to enable custom query analysis in codeql (path must be absolute). 
    #codeqltoolsdirectory: # string. Set a custom CodeQL tools directory (path must be absolute).

Inputs

enableAutomaticCodeQLInstall - Enable automatic CodeQL detection and installation
boolean. Default value: false.

Selecting this option will set the task to automatically check for CodeQL on the agent. If CodeQL is not correctly configured or at the latest version, the task will automatically install the latest version.


languages - Languages to analyze
string. Allowed values: csharp, cpp, go, java, javascript, python, ruby, swift.

The programming language to analyze. Multiple languages can be separated by a comma.

You can set the language here in the task, or you can specify the language in a pipeline variable named advancedsecurity.codeql.language. If both are set, the value specified in the task takes precedence.


querysuite - CodeQL Query Suite to use for analysis.
string. Allowed values: Select a query suite..., code-scanning, security-extended, security-experimental, security-and-quality. Default value: Select a query suite....

The query suite, i.e. ruleset, used for analysis. You can specify the value here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.querysuite. If both are set, the value specified in the task takes precedence. The default value is Select a query suite... which indicates that the query suite must be specified in the advancedsecurity.codeql.querysuite variable.


buildtype - Select build mode (manual vs none)
string. Allowed values: Manual, None. Default value: Manual.

Specify Manual if you want to manually build the project before running the CodeQL analysis. Specify None if you want to run the CodeQL analysis without building the project.

For more information on the different build modes including a comparison on the benefits of each build mode, see CodeQL code scanning for compiled languages. To use autobuild, add the AdvancedSecurity-CodeQL-Autobuild@1 task to your pipeline. For more information, see Code scanning build mode customization.


ram - Options to control RAM usage in MB
string.

Set total amount of RAM the query evaluator should be allowed to use.

You can specify ram here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.ram. If both are set, the value specified in the task takes precedence.


threads - Use this many threads to evaluate queries
string.

You can pass 0 to use one thread per core on the machine, or -N to leave N cores unused (except still use at least one thread).

You can specify threads here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.threads. If both are set, the value specified in the task takes precedence.


codeqlpathstoignore - Set a list of paths to exclude in the CodeQL analysis
string.

You can provide multiple paths separated by commas. The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to ignore the $(Build.SourcesDirectory)/donotscan directory, set codeqlpathstoignore: donotscan rather than codeqlpathstoignore: $(Build.SourcesDirectory)/donotscan.

Important

The codeqlpathstoignore setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).


codeqlpathstoinclude - Set a list of additional paths to include in the CodeQL analysis
string.

You can provide multiple paths separated by commas. The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.

Important

The codeqlpathstoinclude setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).


sourcesfolder - Sets the folder that contains the sources to be analyzed
string.

If you don't provide this value, the default sources folder for the pipeline infrastructure is used (provided by the Build.SourcesDirectory variable).


loglevel - Set the log level for the CodeQL analysis
string. Allowed values: 0 (Warning), 1 (Verbose), 2 (Debug), _ (Default (Warning)). Default value: _.

Specify the level of logging.

You can specify loglevel here in the task, or you can specify it in a pipeline variable named advancedsecurity.codeql.loglevel. If both are set, the value specified in the task takes precedence, unless the default value _ for loglevel in the task is specified. If _ is specified, the value from advancedsecurity.codeql.loglevel is used if available.


configfilepath - Use this to enable custom query analysis in codeql (path must be absolute).
string.

If path is not provided, then codeql analysis will proceed with default queries.


codeqltoolsdirectory - Set a custom CodeQL tools directory (path must be absolute)
string.

If the path is not provided, the default value of $agent_toolsdirectory will be utilized.


Task control options

All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.

Output variables

None.

Remarks

You must have GitHub Advanced Security for Azure DevOps enabled for the repository being scanned.

Important

This task is supported with Azure Repos Git repositories only.

The pipeline must call the tasks in the following order.

  1. Initialize CodeQL
  2. AutoBuild (or your custom build tasks)
  3. Perform CodeQL analysis

The AutoBuild task is optional and may be replaced with your custom build tasks. Either AutoBuild or your custom build tasks must be run for your project to be analyzed.

Requirements

Requirement Description
Pipeline types YAML, Classic build, Classic release
Runs on Agent, DeploymentGroup
Demands None
Capabilities This task does not satisfy any demands for subsequent tasks in the job.
Command restrictions Any
Settable variables Any
Agent version All supported agent versions.
Task category Build

See also