Jenkinsfile-template-with-codeql-cli-bundle

/* 
    This sample Jenkinsfile shows how to configure a Jenkins pipeline to analyze a repository using the CodeQL CLI bundle
*/

pipeline {

    agent { label 'run-codeql-analysis' }

    environment {
        ...
    }

    options {
        ...
    }

    stages {
        // Clone repository
        stage('Clone Repository') {
            git url: 'https://github.com/octo-org/example-repo-2.git'
        }    

        // OPTIONAL: Download CodeQL CLI Bundle
        // The CodeQL bundle (containing the CodeQL CLI as well as the pre-compiled CodeQL Query Suites, which is recommended for CI/CD integration) can either be download as par of the pipeline,
        // or pre-downloaded and placed on the CI/CD build machine(s). If pre-downloading, replace /path/to/cli in subsequent stages with the absolute path to the download location.
        // In this example, we download the latest CLI bundle (at time of writing) as part of the pipeline from https://github.com/github/codeql-action/releases.
        stage('Download CodeQL CLI Bundle') {
            steps {
                sh 'mkdir codeql'
                sh 'cd codeql && wget https://github.com/github/codeql-action/releases/download/codeql-bundle-20210430/codeql-bundle-linux64.tar.gz'
                sh 'tar xvzf codeql-bundle-linux64.tar.gz codeql'
                sh 'cd codeql && chmod +x codeql'
                // Make a note of the current directory here and use that for /path/to/cli in subsequent stages
                // You can add the extracted codeql bundle to your PATH. Ex: PATH=/path/to/cli:$PATH
            }
        }

        // Create CodeQL Database
        // Create a CodeQL database for a source tree that can be analyzed using one of the CodeQL products.
        // Note that if the --command flag is omitted for compiled languages, the AutoBuilder will be used.
        // Full documentation for database create step: https://codeql.github.com/docs/codeql-cli/manual/database-create/
        stage('Create CodeQL Database') {
            steps {
                sh '/path/to/cli/codeql database create --language=<lang> [--source-root=<dir>] [--threads=<num>] [--command=<command>] [--mode=<mode>] <options>... [--] <database>'
                // example: sh 'codeql database create /codeql-dbs/repo-db --language=javascript --source-root /checkouts/my-repo'             
            }
        }

        // Analyze CodeQL Database
        // Analyze a CodeQL database, producing meaningful results in the context of the source code.
        // Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format.
        // Note that the suite argument can accept one of the pre-compiled, out-of-the-box query suites: code-scanning, security-extended, or security-and-quality
        // Full documentation for database analyze step: https://codeql.github.com/docs/codeql-cli/manual/database-analyze/
        stage('Analyze CodeQL Database') {
            steps {
                sh '/path/to/cli/codeql database analyze --format=<format> --output=<output> [--threads=<num>] [--ram=<MB>] <options>... [--] <database> <query|dir|suite>...'
                // example: sh 'codeql database analyze /codeql-dbs/repo-db javascript-security-and-quality.qls --format=sarif-latest --output=./temp/results-js.sarif                 
            }
        }

        // Upload results to GitHub
        // Uploads a SARIF file to GitHub code scanning.
        // For context, please see https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data
        // A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB\_TOKEN environment variable can be set.
        // This token must have the security\_events scope.
        // Documentation for creating GitHub Apps or Personal Access Tokens are available here: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token
        // Full documentation for github upload-results step: https://codeql.github.com/docs/codeql-cli/manual/github-upload-results/
        stage('Upload results to GitHub') {
            steps {
                sh '/path/to/cli/codeql github upload-results --repository=<repository-name> --ref=<ref> --commit=<commit> --sarif=<file> [--github-auth-stdin] [--checkout-path=<path>] [--github-url=<url>] <options>...'
                // example: sh 'codeql  github upload --repository=my-org/my-repo --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 --sarif=./temp/results-js.sarif --github-url=https://octodemo-enterprise.com/ --github-auth-stdin'
            }
        }

        // Other stages go here

    }

}