I'm using Github Advanced Security in Azure devops in a monorepo. With the given folder structure:
.
└── apps/
├── frontend/
│ ├── green-app
│ └── red-app
└── backend/
├── green-app
└── red-app
By default the codeql task will scan the ENTIRE code base. Which is not what I want.
How can I configure Github advanced security to only scan one project?For example the front-end and backend folder for the green-app.
I tried setting the sources folder to the back-end folder. But then I'm not able to "reach" the front-end folder in the codeqlpathstoinclude parameter.
When I try this:
- task: AdvancedSecurity-Codeql-Init@1
condition: and(succeededOrFailed(), ${{parameters.runGithubAdvancedSecurity}})
displayName: 'Github Advanced Security: Initialize 🛡'
inputs:
languages: 'csharp,javascript'
sourcesfolder: '$(System.DefaultWorkingDirectory)/apps/backend/green-app'
codeqlpathstoinclude: '../frontend/green-app'
(Following the docs: "The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.")
I get:
Only found JavaScript or TypeScript files that were empty or contained syntax errors
What am I doing wrong here?
Edit: I tried wildcards as well, but it gave me the same 'no sources found' error:
apps/*/green-app/**/*
Asked the question in the Github Repository and got the following answer.
apps/**/green-app/**none for buildtype