# GitHub Fixer for GitHub Advanced Security

## Introductions

This guide will provide a quick and easy guide to integrate Mobb with your GitHub Advanced Security (GHAS) CodeQL environment. The GitHub Action referenced in this integration can be found on GitHub Marketplace, under [codeql-mobb-fixer-action](https://github.com/marketplace/actions/codeql-mobb-fixer-action).

{% embed url="<https://youtu.be/zFymhmLquFo>" %}

## Prerequisites

Before starting this integration, you will need to have the following components:

1. GitHub Advanced Security (GHAS) enabled for your repository
2. A GitHub repository which will be monitored by CodeQL

## Step 1 - Set Up CodeQL monitoring for your GitHub repository

If you have already configured CodeQL Code Scanning to monitor your GitHub repository, skip to [Step 2](#step-2-set-up-mobb-github-fixer-to-monitor-for-codeql-results) below.

Follow the [GitHub Code Scanning guide](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository) on setting up monitoring for your GitHub repository for Pull Request events.

By the end of this step, CodeQL should be fully configured to run on every Pull Request.

## Step 2 - Set Up Mobb GitHub Fixer to monitor for CodeQL results

You will need to generate a token and store it in your GitHub Action's secrets and variables:

1. `MOBB_API_TOKEN` - This is the Mobb API Token. You can generate this token by [following the guide here](https://docs.mobb.ai/mobb-user-docs/administration/access-tokens).

Once you have the token generated, simply store it in your GitHub repository under the "Settings" tab -> Secrets and variables -> Actions -> New repository secret.

<figure><img src="https://2539741639-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8WF4UBNkXMHG7Dz0RXI7%2Fuploads%2Fgit-blob-b110e1b0313f8f08bfc0cd0c17c7108e83b70ca4%2Fghas-mobb-api-token.png?alt=media" alt=""><figcaption></figcaption></figure>

## Step 3 - Create the workflow `yaml` in your GitHub Repository

The next step involves creating the workflow file in your GitHub repository. To do so, click on Actions -> New workflow.

<figure><img src="https://2539741639-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8WF4UBNkXMHG7Dz0RXI7%2Fuploads%2Fgit-blob-8712ea0356e591b42091ab7c63206dcd56ab6ed3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Select "set up a workflow yourself".

<figure><img src="https://2539741639-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8WF4UBNkXMHG7Dz0RXI7%2Fuploads%2Fgit-blob-ead68e9ea53eb43f853627bf968b0d5642d1c6dd%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

In the code editor page, simply copy and paste the following workflow.

```yaml
name: Mobb fix from CodeQL reports
on:
  workflow_run:
    workflows: ["CodeQL"] # This workflow is triggered when the name specified here is triggered. In CodeQL Default Code Scanning Setup, this name is "CodeQL", if you are using CodeQL Advanced Setup, you may need to change this if you have a different workflow name. 
    types:
      - completed
jobs:
  handle_codeql_scan:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' && (contains(github.event.workflow_run.head_branch, 'refs/pull') || github.event.workflow_run.event == 'pull_request') }}
    permissions:
      pull-requests: write
      security-events: write
      statuses: write
      contents: write
      issues: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Dump github.event
        run: cat $GITHUB_EVENT_PATH

      - uses: mobb-dev/codeql-mobb-fixer-action@v1.1
        with:
          mobb-api-token: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
```

Then click on "Commit Changes". Note that this workflow file must be stored under the default branch for this integration to work.

The integration is now complete. On every PR, CodeQL will be triggered to run a Code Scanning job. Afterward, the Mobb autofixer will run to consume the report from CodeQL to product fix results directly in your Pull Request.

## Results

The fixes are presented in 2 formats:

1. **Selected fixes in the pull request comments** - The fixes presented here only contain a subset of all available fixes that are only relevant to the context of the current pull request based on what has been changed in the diff.
2. **Full fix report** - A full fix analysis report is available via the "Mobb Fix Report Link" in the status section. The fix report here contains all fixes relevant to the entire repository.

### Fixes shown in the PR comments

![image](https://github.com/mobb-dev/codeql-mobb-fixer-action/assets/5158535/46161a99-4010-4ef1-90be-a06860f755a9)

### Full fix report in Mobb UI

![image](https://github.com/mobb-dev/codeql-mobb-fixer-action/assets/5158535/7955c545-e30a-4b61-975c-0b1f1f2e18d8)