GitHub CodeQL to Mobb Analysis Pipeline

Automated pipeline to process GitHub repositories for CodeQL security analysis and Mobb vulnerability remediation.

Features

• Automated CodeQL Processing: Fetches latest CodeQL analyses from default branch, and combines into unified SARIF reports
• Mobb Integration: Automatically uploads SARIF files to Mobb platform for automatic security fix generation
• Batch Processing: Processes multiple repositories from CSV
• Multi-Domain Support: Works with both GitHub.com and GitHub Enterprise deployments with automatic API endpoint detection
• Comprehensive Reporting: Generates detailed logs, success/failure statistics, and final reports with Mobb URLs for all processed repositories
• Automatic Triage: Reads repository URLs from repos.csv, automatically discovers the most recent active Mobb fix report for each repo via the Mobb API, classifies irrelevant issues (false positives, vendor code, test code, etc.), and automatically dismisses the corresponding GitHub Advanced Security alerts with appropriate reasons and comments
• Dry Run Mode: Preview triage actions without modifying any GitHub alerts

Requirements

• Python 3.7+ with requests library
• Node.js 20+ (required for Mobb CLI)
• GitHub Personal Access Token with specific permissions (see setup below)
• Mobb API Token from your Mobb account

Setup

1. Install Python dependencies:

   pip install -r requirements.txt

2. Verify Node.js version:

   node --version  # Should be v20.0.0 or higher

3. Configure authentication:

   GitHub Personal Access Token Setup:

   1. Go to GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
   2. Click "Generate new token"
   3. Set expiration and select repositories you want to analyze
   4. Under "Repository permissions", grant:
      • Contents: Read (to access repository information)
      • Metadata: Read (to read basic repository data)
      • Security events: Read and write (to access CodeQL analysis results and update irrelevant issues)
   5. Generate token and copy it

   Mobb API Token Setup:

   • Follow the guide at: https://docs.Mobb.ai/Mobb-user-docs/administration/access-tokens

   Option A: Environment variables (recommended)

   export GITHUB_PAT="your_github_token"
   export Mobb_API_TOKEN="your_Mobb_token"

   Option B: Configuration file

   # Edit config.json with your actual tokens
   {
     "GITHUB_PAT": "your_github_personal_access_token_here",
     "Mobb_API_TOKEN": "your_Mobb_api_token_here"
   }

4. Create repository list:

   # Edit repos.csv with repository URLs (one per line)
   # Supports both GitHub.com and GitHub Enterprise domains
   https://github.com/owner1/repo1
   https://github.com/owner2/repo2
   https://custom-github-enterprise.company.com/org/project

5. Additional GitHub token permission required for triage:

   • Security events: Write (to dismiss code scanning alerts)

   The triage script uses the same repos.csv you created in step 4. No separate fix report list is needed — fix report IDs are discovered automatically via the Mobb API.

Usage

Run the pipeline:

python generate_sarif_from_github_codeql.py

The pipeline will:

1. Validate Node.js 20+ and Mobb CLI availability
2. Load repository list from repos.csv
3. For each repository:
   • Identify the default branch using GitHub REST API
   • Fetch recent CodeQL analyses for the default branch
   • Select the most recent analysis set (by commit SHA)
   • Download and combine SARIF reports
   • Run Mobb analysis on the combined SARIF
4. Generate a comprehensive processing report

Automatic Triage

Dismiss irrelevant GitHub Advanced Security alerts using Mobb fix report data:

python automatic-triage.py

Preview what would be dismissed without making any changes:

python automatic-triage.py --dry-run

The triage pipeline will:

1. Load repository URLs from repos.csv (same file used by the CodeQL pipeline)
2. For each repository URL:
   • Query the Mobb API for all active fix reports (GET /api/rest/active-reports), sorted latest-first
   • Check each report in order (GET /api/rest/fix-reports/{id}) until one whose originalUrl matches the repo URL is found
   • If no active fix report is found for a repo, a warning is logged and that repo is skipped
   • Fetch all irrelevant issues (false positives, vendor/test/auxiliary/autogenerated/suppressed code) using paginated Mobb API calls
   • Determine the highest-priority tag when multiple tags are present (FALSE_POSITIVE > SUPPRESSED > TEST_CODE > VENDOR_CODE > AUXILIARY_CODE > AUTOGENERATED_CODE)
   • For false positives, fetch a short AI-generated description from Mobb to use as the dismiss comment
   • Dismiss each corresponding GHAS code scanning alert with the appropriate reason and comment
3. Generate a triage report

Mobb tag → GitHub dismissed reason mapping:

Mobb Tag	GitHub Reason
FALSE_POSITIVE	false positive
TEST_CODE	used in tests
VENDOR_CODE	won't fix
AUXILIARY_CODE	won't fix
AUTOGENERATED_CODE	won't fix
SUPPRESSED	won't fix

Output Structure

batch_output/
├── batch_processing.log                       # CodeQL pipeline logs
├── automatic_triage.log                       # Automatic triage logs
├── processing_report_YYYYMMDD_HHMMSS.json     # CodeQL pipeline results report
├── triage_report_YYYYMMDD_HHMMSS.json         # Automatic triage results report
├── sarif_files/                               # Combined SARIF files
│   └── codeql_{repo}_{branch}_{commit}_{timestamp}.sarif
└── temp/                                      # Individual analysis files
    └── sarif_{analysis_id}.json

Error Handling

• Continue on failure: If one repository fails, processing continues with remaining repositories
• Comprehensive logging: All errors and warnings are logged with timestamps
• Final report: Includes success/failure statistics and Mobb URLs for successful analyses

Report Format

The final processing report includes:

• Summary statistics (total, successful, failed repositories)
• Mobb analysis URLs for successful runs
• Detailed results per repository with status and file paths
• Error details for failed operations

Troubleshooting

Node.js version errors:

• Ensure Node.js 20+ is installed
• Check PATH environment variable includes Node.js

Mobb CLI errors:

• Verify internet connection for npx Mobbdev@latest
• Check Mobb API token validity

GitHub API errors:

• Verify GitHub PAT has the required permissions:
  • Contents: Read
  • Metadata: Read
  • Security events: Read
• Check repository access permissions
• Ensure CodeQL analyses exist on the default branch

Triage — alert already dismissed:

• This is handled automatically; the alert is logged as skipped and processing continues

Triage — false positive summary unavailable:

• If the Mobb FP summary API call fails for a FALSE_POSITIVE issue, the issue is skipped (not dismissed) and an error is logged
• Check that the MOBB_API_TOKEN is valid and the fpId is correct

Triage — vendorInstanceId is null:

• Some issues (e.g. issues in a Fixed state) may not have a corresponding GitHub alert ID; these are logged as skipped automatically