{"id":2043,"date":"2025-05-20T23:47:00","date_gmt":"2025-05-20T23:47:00","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/05\/20\/one-pipeline-to-rule-them-all-ensuring-codeql-scanning-results-and-dependency-scanning-results-go-to-the-intended-repository\/"},"modified":"2025-05-20T23:47:00","modified_gmt":"2025-05-20T23:47:00","slug":"one-pipeline-to-rule-them-all-ensuring-codeql-scanning-results-and-dependency-scanning-results-go-to-the-intended-repository","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/05\/20\/one-pipeline-to-rule-them-all-ensuring-codeql-scanning-results-and-dependency-scanning-results-go-to-the-intended-repository\/","title":{"rendered":"One Pipeline to Rule Them All: Ensuring CodeQL Scanning Results and Dependency Scanning Results Go to the Intended Repository"},"content":{"rendered":"

\u201cOne Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them.\u201d<\/em>
\n \u2013 J.R.R. Tolkien, The Lord of the Rings<\/em><\/p>\n

In the world of code scanning and dependency scanning, your pipeline is the One Ring<\/strong>\u2014a single definition that can orchestrate scans across multiple repositories. However, much like the One Ring, if misused, it can lead to chaos: publishing results to the unintended repository.<\/p>\n

Fear not, brave developer! This guide will show you how to wield your pipeline wisely<\/strong> so that CodeQL scanning results and Dependency Scanning results are always published to the intended repository.<\/p>\n

The Problem: Results NOT Going to the Intended Repository<\/strong><\/p>\n

Imagine this: your Azure DevOps pipeline resides in one repository (let\u2019s call it the\u00a0PipelineRepo<\/strong>, where the pipeline definition lives), while the source code you want to scan lives in another repository (let\u2019s call it the\u00a0SourceRepo<\/strong>, which contains the code to analyze).<\/p>\n

Without proper configuration, your scan results might end up being published to the\u00a0PipelineRepo<\/strong>\u00a0instead of the\u00a0SourceRepo<\/strong>. This behavior occurs because the AdvancedSecurity-Dependency-Scanning, AdvancedSecurity-Codeql-Analyze, and AdvancedSecurity-Publish (collectively referred to as Advanced Security Build Tasks hereafter) publish the SARIF file with scan results to the repository that triggered the pipeline run (which can be the repository containing the pipeline definition).<\/p>\n

To ensure your results always go to the intended repository, let\u2019s dive into how to configure your pipeline properly.<\/p>\n

The Solution: Use Inferred Publishing (Preferred Method)<\/h2>\n

The recommended way to ensure that CodeQL scanning and dependency scanning results are published to the intended repository is to use\u00a0inferred publishing<\/strong>. By setting the\u00a0advancedsecurity.publish.repository.infer\u00a0pipeline variable to\u00a0true, the Advanced Security Build Tasks will automatically detect the repository based on the current working directory during the pipeline run.<\/p>\n

Example of Inferred Publishing<\/h3>\n

Here\u2019s how to configure your pipeline for inferred publishing:<\/p>\n

trigger:
\n – main<\/p>\n

resources:
\n repositories:
\n # PipelineRepo: The repository containing the pipeline definition.
\n # This is optional and only needed if you plan to reference files or scripts from this repo.
\n – repository: PipelineRepo
\n type: git
\n name: DevOpsPipelineRepo
\n ref: refs\/heads\/main
\n trigger:
\n – main
\n # SourceRepo: The repository where scanning and publishing will occur.
\n – repository: SourceRepo
\n type: git
\n name: code-to-analyze-repo
\n ref: refs\/heads\/main
\n trigger:
\n – main<\/p>\n

jobs:
\n – job: “CodeQLScan”
\n displayName: “CodeQL Scanning with Inferred Publishing”
\n variables:
\n # Enable repository inference
\n advancedsecurity.publish.repository.infer: true
\n steps:
\n # Checkout the SourceRepo
\n – checkout: SourceRepo<\/p>\n

# Initialize CodeQL
\n – task: AdvancedSecurity-Codeql-Init@1
\n displayName: “Initialize CodeQL”
\n inputs:
\n languages: “python,javascript” # Adjust based on repository languages<\/p>\n

# Perform CodeQL analysis
\n – task: AdvancedSecurity-Codeql-Analyze@1
\n displayName: “Analyze Code with CodeQL”<\/p>\n

Handling Errors with Inferred Publishing<\/h2>\n

In some cases, inferred publishing might throw an error if the pipeline cannot determine a valid Git repository in the current working directory. This typically happens in multi-repo scenarios<\/strong>, where multiple repositories are checked out.<\/p>\n

Here\u2019s how to handle it:<\/p>\n

Error Message<\/h3>\n

You might encounter an error like:<\/p>\n

\u201cNo valid Git repository found in the working directory<\/em>.\u201d<\/p>\n

This error occurs because the Advanced Security Build Tasks<\/em> cannot determine which repository to associate the results with.<\/p>\n

Solution: Use\u00a0workspaceRepo: true<\/h3>\n

By default, CodeQL uses the current working directory to determine the repository for publishing results. However, in scenarios where multiple repositories are checked out, this can lead to ambiguity. Setting\u00a0workspaceRepo: true\u00a0explicitly identifies the repository you want to analyze and publish results for.<\/p>\n

Example: Multi-Repo Checkout with workspaceRepo: true<\/h4>\n

trigger:
\n – main<\/p>\n

resources:
\n repositories:
\n # PipelineRepo: The repository containing the pipeline definition.
\n # This is optional and only needed if you plan to reference files or scripts from this repo.
\n – repository: PipelineRepo
\n type: git
\n name: DevOpsPipelineRepo
\n ref: refs\/heads\/main<\/p>\n

# SourceRepo1: The repository where scanning and publishing will occur.
\n – repository: SourceRepo1
\n type: git
\n name: code-to-analyze-repo
\n ref: refs\/heads\/master<\/p>\n

# SourceRepo2: The repository where scanning and publishing will occur.
\n – repository: SourceRepo2
\n type: git
\n name: code-to-analyze-repo
\n ref: refs\/heads\/master<\/p>\n

jobs:
\n # Job 1: CodeQL Scanning for SourceRepo1 with workspaceRepo set to true
\n – job: “CodeQLScanSourceRepo1”
\n displayName: “CodeQL Scanning for Juice Shop”
\n variables:
\n advancedsecurity.publish.repository.infer: true
\n steps:
\n – checkout: SourceRepo1
\n workspaceRepo: true
\n – task: AdvancedSecurity-Codeql-Init@1
\n inputs:
\n languages: “javascript” # Adjust based on SourceRepo1 languages
\n enableAutomaticCodeQLInstall: true
\n – task: AdvancedSecurity-Codeql-Analyze@1
\n displayName: “Analyze Code with CodeQL”<\/p>\n

# Job 2: CodeQL Scanning for SourceRepo2 with workspaceRepo set to true
\n – job: “CodeQLScanSourceRepo2”
\n displayName: “CodeQL Scanning for Benchmark (No Build Mode)”
\n variables:
\n advancedsecurity.publish.repository.infer: true
\n steps:
\n – checkout: SourceRepo2
\n workspaceRepo: true
\n – task: AdvancedSecurity-Codeql-Init@1
\n displayName: Initialize CodeQL
\n inputs:
\n languages: “java” # Adjust based on SourceRepo2 languages
\n buildtype: “none”
\n – task: AdvancedSecurity-Codeql-Analyze@1
\n displayName: Perform CodeQL Analysis<\/p>\n

This configuration ensures that the repository designated with\u00a0workspace: true\u00a0is analyzed and that results are published to the correct repository. For more details, refer to the Azure DevOps multi-repo checkout documentation<\/a> and the checkout step documentation<\/a>.<\/p>\n

This Also Applies to Pipeline Dependency Scanning<\/h2>\n

While this guide focuses on CodeQL static analysis, you can also use inferred publishing for Dependency Scanning<\/strong>, which identifies vulnerabilities in your project\u2019s dependencies.<\/p>\n

Here\u2019s how to configure your pipeline:<\/p>\n

trigger:
\n – main<\/p>\n

resources:
\n repositories:
\n # PipelineRepo: The repository containing the pipeline definition.
\n # This is optional and only needed if you plan to reference files or scripts from this repo.
\n – repository: PipelineRepo
\n type: git
\n name: DevOpsPipelineRepo
\n ref: refs\/heads\/main
\n trigger:
\n – main
\n # SourceRepo: The repository where scanning and publishing will occur.
\n – repository: SourceRepo
\n type: git
\n name: code-to-analyze-repo
\n ref: refs\/heads\/main
\n trigger:
\n – main<\/p>\n

jobs:
\n – job: “DependencyScan”
\n displayName: “Dependency Scanning with Inferred Publishing”
\n variables:
\n # Enable repository inference
\n advancedsecurity.publish.repository.infer: true
\n steps:
\n # Checkout the SourceRepo
\n – checkout: SourceRepo<\/p>\n

# Perform Dependency Scanning
\n – task: AdvancedSecurity-Dependency-Scanning@1
\n displayName: “Analyze Dependencies for Vulnerabilities”<\/p>\n

With dependency scanning, If you want to scope your scan to a specific folder, you can set a pipeline variable\u00a0DependencyScanning.SourcePath\u00a0to any directory file path in the build agent that you want to analyze.<\/p>\n

For more information, see Adjusting your scanning directory with Dependency scanning<\/a>.<\/p>\n

One Pipeline to Rule Them All<\/h2>\n

Inferred publishing is the\u00a0go-to choice<\/strong>, offering a streamlined configuration that minimizes errors and provides clear guidance when challenges arise. By adopting these best practices, you can ensure that CodeQL and Dependency Scanning results are always directed to the intended repository. The ability to seamlessly manage your code scanning workflows is now within your grasp.<\/p>\n

Additional Resources<\/h2>\n

Configure GitHub Advanced Security for Azure DevOps features \u2013 Azure Repos | Microsoft Learn<\/a>
\nAzure DevOps Multi-Repo Checkout Documentation<\/a>
\nAzure DevOps Checkout Step Documentation<\/a>
\nAzure DevOps Pipelines Documentation<\/a><\/p>\n

\u201cEven the smallest person can change the course of the future.\u201d<\/em>
\n Start small by configuring your pipeline correctly, and you\u2019ll see a big impact on your team\u2019s security workflows.<\/p>\n

To learn more about other upcoming Azure DevOps investments in security and beyond, see Azure DevOps Roadmap.<\/a><\/p>\n

The post One Pipeline to Rule Them All: Ensuring CodeQL Scanning Results and Dependency Scanning Results Go to the Intended Repository<\/a> appeared first on Azure DevOps Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

\u201cOne Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the […]<\/p>\n","protected":false},"author":0,"featured_media":94,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2043"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2043\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}