From d6145e0e965c290cda172740400941437b05bd05 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Tue, 12 Dec 2023 17:52:27 +0000 Subject: [PATCH] Adds "Evaluate code scanning" article (#46478) Co-authored-by: Felicity Chapman --- ...efault-setup-for-code-scanning-at-scale.md | 4 +-- ...iguring-default-setup-for-code-scanning.md | 14 ++++---- ...luating-default-setup-for-code-scanning.md | 36 +++++++++++++++++++ .../enabling-code-scanning/index.md | 1 + .../about-code-scanning.md | 1 + ...query-suites.md => codeql-query-suites.md} | 5 +-- ...ing-your-configuration-of-default-setup.md | 2 +- .../index.md | 2 +- 8 files changed, 53 insertions(+), 12 deletions(-) create mode 100644 content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md rename content/code-security/code-scanning/managing-your-code-scanning-configuration/{built-in-codeql-query-suites.md => codeql-query-suites.md} (97%) diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md index e06c000da609..045e343def20 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md @@ -66,7 +66,7 @@ Through the "Code security and analysis" page of your organization's settings, y 1. Click **Settings** next to your organization. 1. Click **Code security & analysis**. 1. Click **Enable all** next to "{% data variables.product.prodname_code_scanning_caps %}".{% ifversion bulk-code-scanning-query-suite%} -1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." +1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." 1. To enable your configuration of default setup, click **Enable for eligible repositories**. 1. Optionally, to recommend the "Extended" query suite throughout your organization when enabling default setup, select "Recommend the extended query suite for repositories enabling default setup."{% else %} 1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" dialog box displayed, click **Enable for eligible repositories** to enable your configuration of default setup.{% endif %} @@ -119,7 +119,7 @@ You can select all of the displayed repositories, or a subset of them, and enabl 1. In the list of repositories, select each repository you want to enable {% data variables.product.prodname_code_scanning %} for. To select all repositories on the page, click the checkbox next to **NUMBER Active**. To select all repositories that match the current search, click the checkbox next to **NUMBER Active** and then click **Select all NUMBER repos**. 1. Click **Security settings** next to **NUMBER selected**. 1. In the side panel, in the "{% data variables.product.prodname_codeql %} Default Setup" section, select **No change**, then click **Enable**.{% ifversion bulk-code-scanning-query-suite %} -1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)."{% endif %} +1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% endif %} 1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes. {% note %} diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md index 83fdcd6357bf..d85931648a9f 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md @@ -38,10 +38,6 @@ Default setup for {% data variables.product.prodname_code_scanning %} is the qui {% endnote %} {% endif %} -You can enable the automatically selected configuration of default setup to start scanning your code as soon as possible, or you can customize aspects of the configuration to better meet your {% data variables.product.prodname_code_scanning %} needs. If you choose to customize the configuration yourself, you can select:{% ifversion code-scanning-without-workflow-310 %} -- the languages default setup will analyze.{% endif %} -- the query suite default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." - {% ifversion org-enable-code-scanning %}You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." @@ -64,6 +60,10 @@ Enterprise owners, organization and repository administrators can add self-hoste You can use default setup if your repository includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." +### Customizing default setup + +We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning)." + {% ifversion code-scanning-default-setup-recommended-languages and code-scanning-without-workflow-310 %} ### About adding {% ifversion code-scanning-default-setup-automatic-311 %}non-compiled and {% endif %}compiled languages to your default setup @@ -122,7 +122,7 @@ When you initially configure default setup for {% data variables.product.prodnam ![Screenshot of the modal for default setup. A button labeled "Default", with an arrow indicating a dropdown menu, is outlined in dark orange.](/assets/images/help/security/default-setup-query-suite-dropdown.png) - If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." + If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." {% note %} @@ -143,7 +143,9 @@ When you initially configure default setup for {% data variables.product.prodnam ## Next steps -After you configure default setup for {% data variables.product.prodname_code_scanning %}, and your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." +After your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." + +After you've configured default setup for {% data variables.product.prodname_code_scanning %}, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning)." You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." diff --git a/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md new file mode 100644 index 000000000000..e1dd83834965 --- /dev/null +++ b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md @@ -0,0 +1,36 @@ +--- +title: Evaluating default setup for code scanning +shortTitle: Evaluate code scanning +intro: 'Learn how to assess how code scanning is working for you, and how you can customize your setup to best meet your code security needs.' +product: '{% data reusables.gated-features.code-scanning %}' +type: how_to +topics: + - Advanced Security + - Code scanning +versions: + feature: code-scanning-without-workflow +--- + +## About evaluating a new {% data variables.product.prodname_code_scanning %} configuration + +When you first start using {% data variables.product.prodname_code_scanning %}, you'll likely use default setup. This guide describes how to evaluate how default setup for {% data variables.product.prodname_code_scanning %} is working for you, and what steps to take if something isn't working as you expect. This guide also describes how you can customize {% data variables.product.prodname_code_scanning %} if you find that you have a specific use case that your new configuration doesn't fit. + +## Customizing {% data variables.product.prodname_code_scanning %} + +When you first configure default setup, or after an initial analysis of your code, you can edit{% ifversion code-scanning-without-workflow-310 %} which languages default setup will analyze and{% endif %} the query suite run during analysis. The `default` query suite contains a set of queries that are carefully designed to look for the most relevant security issues, while minimizing false positive results. However, you can use the `security-extended` suite to run additional queries, which have slightly lower precision. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." + +For more information about customizing default setup, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)." + +### Using advanced setup + +If you've found that you still need more granular control over {% data variables.product.prodname_code_scanning %}, you can use advanced setup. Advanced setup requires significantly more effort to configure, customize, and maintain, so we recommend enabling default setup first. For more information about advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." + +## Evaluating {% data variables.product.prodname_code_scanning %} with the {% data variables.code-scanning.tool_status_page %} + +The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your {% data variables.product.prodname_code_scanning %} tools. You can use it to investigate whether individual tools are working for a repository, when files in the repository were first scanned and most recently scanned, and when upcoming scans are scheduled. It's also a useful starting point for debugging issues. + +Using the {% data variables.code-scanning.tool_status_page %}, you can download the list of rules that {% data variables.product.prodname_code_scanning %} is checking against, in CSV format. For integrated tools like {% data variables.product.prodname_codeql %}, you can also see more detailed information, including a percentage of files scanned and specific error messages. + +If you find that default setup doesn't scan all your files, you may need to customize {% data variables.product.prodname_code_scanning %}. For more information, see "[Customizing code scanning](#customizing-code-scanning)" in this article. Alternatively, or if something else isn't working as you expect, you may find our dedicated troubleshooting documentation useful. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)". + +For more detailed information about the {% data variables.code-scanning.tool_status_page %}, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository)." diff --git a/content/code-security/code-scanning/enabling-code-scanning/index.md b/content/code-security/code-scanning/enabling-code-scanning/index.md index 0b83ec0fcb5d..658f13149f58 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/index.md +++ b/content/code-security/code-scanning/enabling-code-scanning/index.md @@ -11,5 +11,6 @@ topics: - CodeQL children: - /configuring-default-setup-for-code-scanning + - /evaluating-default-setup-for-code-scanning - /configuring-default-setup-for-code-scanning-at-scale --- diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md index b1efb6726ef4..635ccddfa4e2 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md @@ -36,6 +36,7 @@ To monitor results from {% data variables.product.prodname_code_scanning %} acro {% ifversion code-scanning-without-workflow %} To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." + {% else %} To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {% endif %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md similarity index 97% rename from content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md rename to content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md index 69be243fd05f..3de988230dff 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md @@ -1,12 +1,13 @@ --- -title: Built-in CodeQL query suites -shortTitle: Built-in CodeQL query suites +title: CodeQL query suites +shortTitle: CodeQL query suites intro: 'You can choose from different built-in {% data variables.product.prodname_codeql %} query suites to use in your {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} setup.' product: '{% data reusables.gated-features.code-scanning %}' versions: feature: code-scanning-without-workflow redirect_from: - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites + - /code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites type: reference topics: - Code scanning diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md index 0ede64957f47..ce280f81b1b4 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -15,7 +15,7 @@ topics: After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit{% ifversion code-scanning-without-workflow-310 %}: - Which languages default setup will analyze. -- {% endif %} The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." +- {% endif %} The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." {% ifversion codeql-model-packs-java %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md index 929248f29f61..370a7ff9a407 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md @@ -15,7 +15,7 @@ topics: children: - /about-the-tool-status-page - /editing-your-configuration-of-default-setup - - /built-in-codeql-query-suites + - /codeql-query-suites - /viewing-code-scanning-logs - /c-cpp-built-in-queries - /csharp-built-in-queries