This guide will provide a quick and easy guide to integrate Mobb with your GitHub Advanced Security (GHAS) CodeQL environment. The GitHub Action referenced in this integration can be found on GitHub Marketplace, under codeql-mobb-fixer-action.
Prerequisites
Before starting this integration, you will need to have the following components:
GitHub Advanced Security (GHAS) enabled for your repository
A GitHub repository which will be monitored by CodeQL
Step 1 - Set Up CodeQL monitoring for your GitHub repository
If you have already configured CodeQL Code Scanning to monitor your GitHub repository, skip to Step 2 below.
Follow the GitHub Code Scanning guide on setting up monitoring for your GitHub repository for Pull Request events.
By the end of this step, CodeQL should be fully configured to run on every Pull Request.
Step 2 - Set Up Mobb GitHub Fixer to monitor for CodeQL results
You will need to generate a token and store it in your GitHub Action's secrets and variables:
MOBB_API_TOKEN - This is the Mobb API Token. You can generate this token by following the guide here.
Once you have the token generated, simply store it in your GitHub repository under the "Settings" tab -> Secrets and variables -> Actions -> New repository secret.
Step 3 - Create the workflow yaml in your GitHub Repository
The next step involves creating the workflow file in your GitHub repository. To do so, click on Actions -> New workflow.
Select "set up a workflow yourself".
In the code editor page, simply copy and paste the following workflow.
Then click on "Commit Changes". Note that this workflow file must be stored under the default branch for this integration to work.
The integration is now complete. On every PR, CodeQL will be triggered to run a Code Scanning job. Afterward, the Mobb autofixer will run to consume the report from CodeQL to product fix results directly in your Pull Request.
Results
The fixes are presented in 2 formats:
Selected fixes in the pull request comments - The fixes presented here only contain a subset of all available fixes that are only relevant to the context of the current pull request based on what has been changed in the diff.
Full fix report - A full fix analysis report is available via the "Mobb Fix Report Link" in the status section. The fix report here contains all fixes relevant to the entire repository.
name: Mobb fix from CodeQL reports
on:
workflow_run:
workflows: ["CodeQL"] # This workflow is triggered when the name specified here is triggered. In CodeQL Default Code Scanning Setup, this name is "CodeQL", if you are using CodeQL Advanced Setup, you may need to change this if you have a different workflow name.
types:
- completed
jobs:
handle_codeql_scan:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' && (contains(github.event.workflow_run.head_branch, 'refs/pull') || github.event.workflow_run.event == 'pull_request') }}
permissions:
pull-requests: write
security-events: write
statuses: write
contents: write
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dump github.event
run: cat $GITHUB_EVENT_PATH
- uses: mobb-dev/[email protected] with:
mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
