Skip to content

feat(codeql): add CodeQL enablement check as a dedicated extension#876

Draft
akiioto wants to merge 8 commits into
open-component-model:masterfrom
akiioto:feat/sast-codeql-check
Draft

feat(codeql): add CodeQL enablement check as a dedicated extension#876
akiioto wants to merge 8 commits into
open-component-model:masterfrom
akiioto:feat/sast-codeql-check

Conversation

@akiioto

@akiioto akiioto commented Jun 30, 2026

Copy link
Copy Markdown

Summary

  • Adds a new codeql extension that checks whether GitHub Advanced Security CodeQL is enabled for each source artefact referenced by an OCM component
  • Implements use case 1 from the CodeQL extension design (enabled/disabled check only — findings processing is out of scope)
  • Follows the same pattern as the existing sast extension

Changes

File Change
src/codeql.py New extension — queries GitHub code-scanning analyses API (tool_name=CodeQL), emits CodeqlFinding(NOT_ENABLED) when CodeQL is absent
src/odg/model.py Add Datatype.CODEQL_FINDING, Datasource.CODEQL, CodeqlStatus, CodeqlFinding, RescoreCodeqlFinding
src/odg/extensions_cfg.py Add Services.CODEQL and CodeqlConfig (BacklogItemMixins, same as SASTConfig)
src/odg/extensions_cfg.yaml Add codeql: enabled: False default
src/odg/findings_cfg.yaml Add finding/codeql block with BLOCKER categorisation; external (github.com) components auto-rescored to NONE
src/odg/findings.py Add CodeqlFindingSelector for categorise_finding() matching on codeql_status
src/artefact_enumerator.py Register CODEQL service so backlog items are created for source artefacts

Design decisions

  • Separate extension, not a SAST sub-type — CodeQL is a distinct scanner (GitHub Advanced Security feature), not a missing-linter variant
  • Reuses ghas.github_api_request() — same GitHub API authentication mechanism as the existing GHAS extension
  • repo_url stored in finding — allows direct navigation to the repository from the dashboard/issue view
  • github.com components exempt — external open-source components are not subject to SAP product standards

Prerequisites for full E2E test

  • GitHub App (app_id: 2019 on github.tools.sap) needs security_events: read permission added
  • Deploy to Dev landscape (delivery-service image must include this branch)

Test plan

  • Verify codeql.py loads and starts polling backlog items
  • Verify artefact-enumerator creates codeql backlog items for source artefacts
  • Verify GitHub API call succeeds once security_events: read permission is granted to GitHub App
  • Verify CodeqlFinding(NOT_ENABLED) is stored in DB for repos without CodeQL
  • Verify no finding is stored for repos with CodeQL enabled
  • Verify github.com components are auto-rescored to NONE

akiioto added 4 commits June 30, 2026 18:48
Introduces a new CodeQL extension that checks whether GitHub Advanced Security
CodeQL is enabled for each source artefact referenced by an OCM component.

Changes:
- odg/model.py: add Datatype.CODEQL_FINDING, Datasource.CODEQL, CodeqlStatus,
  CodeqlFinding, RescoreCodeqlFinding
- odg/extensions_cfg.py: add Services.CODEQL and CodeqlConfig (BacklogItemMixins)
- odg/extensions_cfg.yaml: add codeql default (enabled: False)
- odg/findings_cfg.yaml: add finding/codeql block with BLOCKER categorisation;
  external (github.com) components are auto-rescored to NONE
- codeql.py: new extension — queries GitHub code-scanning analyses API
  (tool_name=CodeQL), emits CodeqlFinding(NOT_ENABLED) when CodeQL is absent
Per discussion with Philipp Heil: findings should contain enough information
to be meaningful in the dashboard and issue view. repo_url points directly
to the GitHub repository where CodeQL needs to be enabled.
Required for categorise_finding() to match on codeql_status values
in the findings_cfg.yaml selector configuration.
Adds the codeql backlog item creation block analogous to sast, so the
artefact-enumerator creates codeql backlog items for source artefacts
when the codeql extension is enabled.
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7732d73-a1f6-4ae5-9ca5-7794c2699987

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

akiioto added 3 commits June 30, 2026 19:09
- settings_url: direct link to repo/settings/security_analysis so
  engineers can enable CodeQL in one click from the dashboard/issue
- language: primary repo language from GitHub API; enables auto-rescoring
  for repos in languages CodeQL does not support
- fix: key now includes repo_url to avoid collisions across artefacts
- refactor: fetch_repo_info() combines /repos and /code-scanning/analyses
  into one function so both calls share the same auth token lookup
languages: [Go, Python, Java] in extensions_cfg limits CodeQL checks
to repos whose primary language matches. Empty list (default) checks all.
Instead of a single enabled/disabled check per repo, the extension now:
- fetches active CodeQL languages from code-scanning/analyses (environment.language)
- emits a separate CodeqlFinding per language configured in codeql_config.languages
  that is NOT actively scanned
- key includes language: not-enabled|{repo_url}|{language}

When languages is empty (default), falls back to single finding if CodeQL
is not enabled at all for the repo.

@8R0WNI3 8R0WNI3 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This already looks very promising, thank you for your contribution! :-)

Comment thread src/odg/extensions_cfg.py Outdated
Comment thread src/odg/findings.py
case odg.model.Datatype.OSID_FINDING:
self._validate_osid()
case odg.model.Datatype.CRYPTO_FINDING:
self._validate_crypto()

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add a validation function for the new finding type.

Comment thread src/odg/findings_cfg.yaml
artefact_kind: source
issues:
enable_issues: False
rescoring_ruleset:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this ruleset is not used anywhere 🤔

Comment thread src/codeql.py
import ocm.iter

import ctx_util
import ghas

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptionally, an extension should not have a dependency on another extension. Please consider moving the necessary functions to the already existing github_util module instead.

Comment thread src/codeql.py
scan_callback = functools.partial(
scan,
codeql_finding_config=codeql_finding_config,
secret_factory=secret_factory,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The secret_factory will be already provided by the process_backlog_items wrapper, so there should be no need to explicitly add it here.

Comment thread src/codeql.py
if len(path_parts) < 2:
return None
org, repo = path_parts[0], path_parts[1]
hostname = parsed.hostname or 'github.com'

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would it be necessary to fallback to github.com here?

Comment thread src/odg/model.py
codeql_status: CodeqlStatus
repo_url: str | None = None
settings_url: str | None = None
language: str | None = None

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think according to the codeql module, repo_url and language would never be None. Why did you decide to make them optional here?

Addresses review comment: Services, Datatype, Datasource.datasource(),
and ExtensionsConfiguration fields are now in alphabetical order.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants