Code Scanning python setup (#15972)

* document new behavior for Python analysis * add versioning * update the second article * add link to Cnfiguring article * add word * polishing * Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com> * address review comments * add comments in yaml snippet * remove contraction * Update content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.md Co-authored-by: Felicity Chapman <felicitymay@github.com> * commit changes * false, not true * write comments over 2 lines * again * remove white spaces Co-authored-by: Felicity Chapman <felicitymay@github.com>
github · Oct 13, 2020 · fd130da · fd130da
1 parent 1162df0
commit fd130da
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/...g-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.md b/...g-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.md
@@ -130,6 +130,52 @@ If your workflow does not contain a matrix called `language`, then {% data varia
   with:
     languages: cpp, csharp, python
 ```  
+{% if currentVersion == "free-pro-team@latest" %}
+### Analyzing Python dependencies
+
+For GitHub-hosted runners that use Linux only, the {% data variables.product.prodname_codeql_workflow %} will try to auto-install Python dependencies to give more results for the CodeQL analysis. You can control this behavior by specifying the `setup-python-dependencies` parameter for the action called by the "Initialize CodeQL" step. By default, this parameter is set to `true`:
+
+-  If the repository contains code written in Python, the "Initialize CodeQL" step installs the necessary dependencies on the GitHub-hosted runner. If the auto-install succeeds, the action also sets the environment variable `CODEQL_PYTHON` to the Python executable file that includes the dependencies.
+
+- If the repository doesn't have any Python dependencies, or the dependencies are specified in an unexpected way, you'll get a warning and the action will continue with the remaining jobs. The action can run successfully even when there are problems interpreting dependencies, but the results may be incomplete.
+
+Alternatively, you can install Python dependencies manually on any operating system. You will need to add `setup-python-dependencies` and set it to `false`, as well as set `CODEQL_PYTHON` to the Python executable that includes the dependencies, as shown in this workflow extract:
+
+```yaml
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f requirements.txt ]; 
+        then pip install -r requirements.txt;
+        fi
+        # Set the `CODEQL-PYTHON` environment variable to the Python executable
+        # that includes the dependencies
+        echo "::set-env name=CODEQL_PYTHON::$(which python)"
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: python
+        # Override the default behavior so that the action doesn't attempt 
+        # to auto-install Python dependencies
+        setup-python-dependencies: false
+```  
+{% endif %}
 
 ### Running additional queries
 

diff --git a/...-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md b/...-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md
@@ -114,3 +114,12 @@ If you split your analysis into multiple workflows as described above, we still
 #### Run only during a `schedule` event
 
 If your analysis is still too slow to be run during `push` or `pull_request` events, then you may want to only trigger analysis on the `schedule` event. For more information, see "[Events](/actions/learn-github-actions/introduction-to-github-actions#events)."
+
+{% if currentVersion == "free-pro-team@latest" %}
+### Results differ between analysis platforms
+
+If you are analyzing code written in Python, you may see different results depending on whether you run the {% data variables.product.prodname_codeql_workflow %} on Linux, macOS, or Windows.
+
+On GitHub-hosted runners that use Linux, the {% data variables.product.prodname_codeql_workflow %} tries to install and analyze Python dependencies, which could lead to more results. To disable the auto-install, add `setup-python-dependencies: false` to the "Initialize CodeQL" step of the workflow. For more information about configuring the analysis of Python dependencies, see "[Analyzing Python dependencies](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#analyzing-python-dependencies)."
+
+{% endif %}