Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

此版本的 GitHub Enterprise 已停止服务 2022-06-03. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

Configuring the CodeQL workflow for compiled languages

You can configure how GitHub uses the CodeQL 分析工作流程 to scan code written in compiled languages for vulnerabilities and errors.

If you have write permissions to a repository, you can configure 代� �扫描 for that repository.

代� �扫描 适用于启用了 GitHub Advanced Security 的组织拥有的仓库。 更多信息请参阅“关于 GitHub Advanced Security”。

Note: Your site administrator must enable 代� �扫描 for 您的 GitHub Enterprise Server 实例 before you can use this feature. If you want to use GitHub Actions to scan your code, the site administrator must also enable GitHub Actions and set up the infrastructure required. For more information, see "Configuring 代� �扫描 for your appliance."

About the CodeQL 分析工作流程 and compiled languages

You set up GitHub to run 代� �扫描 for your repository by adding a GitHub Actions workflow to the repository. For CodeQL 代� �扫描, you add the CodeQL 分析工作流程. For more information, see "Setting up 代� �扫描 for a repository."

一般情况下� 需编辑 代� �扫描 的默认工作流程。 但是,如果需要,您可以编辑工作流程以自定义某些设置。 例如,您可以编辑 GitHub 的 CodeQL 分析工作流程 来指定扫描频率、要扫描的语言或目录,以及 CodeQL 代� �扫描 在代� �中的查找内容。 如果您使用一组特定的命令来编译代� �,您可能还需要编辑 CodeQL 分析工作流程。 For general information about configuring 代� �扫描 and editing workflow files, see "Configuring 代� �扫描" and "Learn GitHub Actions."

About autobuild for CodeQL

Code scanning works by running queries against one or more databases. Each database contains a representation of all of the code in a single language in your repository. For the compiled languages C/C++, C#, and Java, the process of populating this database involves building the code and extracting data. CodeQL 也运行 Go 项目的构建来设置项目。 但是,与其他编译语言相比,仓库中的所有 Go 文件都是提取的,而不仅仅是构建的文件。 您可以使用自定义构建命令跳过提取未受构建影响的 Go 文件。

对于受支持的编译语言,您可以使用 CodeQL 分析工作流程 中的 autobuild 操作来构建代� �。 这� �您� 需为 C/C++、C# 和 Java 指定显式构建命令。

If your workflow uses a language matrix, autobuild attempts to build each of the compiled languages listed in the matrix. Without a matrix autobuild attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.

Note: If you use self-hosted runners for GitHub Actions, you may need to install additional software to use the autobuild process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. For more information, see "Specifications for GitHub-hosted runners".

C/C++

Supported system typeSystem name
Operating systemWindows, macOS, and Linux
Build systemWindows: MSbuild and build scripts
Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts

The behavior of the autobuild step varies according to the operating system that the extraction runs on. On Windows, the autobuild step attempts to autodetect a suitable build method for C/C++ using the following approach:

  1. Invoke MSBuild.exe on the solution (.sln) or project (.vcxproj) file closest to the root. If autobuild detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
  2. Invoke a script that looks like a build script—build.bat, build.cmd, and build.exe (in that order).

On Linux and macOS, the autobuild step reviews the files present in the repository to determine the build system used:

  1. Look for a build system in the root directory.
  2. If none are found, search subdirectories for a unique directory with a build system for C/C++.
  3. Run an appropriate command to configure the system.

C#

Supported system typeSystem name
Operating systemWindows and Linux
Build system.NET and MSbuild, as well as build scripts

The autobuild process attempts to autodetect a suitable build method for C# using the following approach:

  1. Invoke dotnet build on the solution (.sln) or project (.csproj) file closest to the root.
  2. Invoke MSbuild (Linux) or MSBuild.exe (Windows) on the solution or project file closest to the root. If autobuild detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
  3. Invoke a script that looks like a build script—build and build.sh (in that order, for Linux) or build.bat, build.cmd, and build.exe (in that order, for Windows).

Java

Supported system typeSystem name
Operating systemWindows, macOS, and Linux (no restriction)
Build systemGradle, Maven and Ant

The autobuild process tries to determine the build system for Java codebases by applying this strategy:

  1. Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
  2. Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
  3. Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.

Adding build steps for a compiled language

如果仓库中的 C/C++、C# 或 Java 代� �含有非� �准的构建过程,autobuild 可能会失败。 您需要从工作流程中� 除 autobuild 步骤,然后手动添� 构建步骤。 如果您要指定仓库中的哪个 Go 文件要提取,则需要添� 生成步骤。 For information on how to edit the workflow file, see "Configuring 代� �扫描."

After removing the autobuild step, uncomment the run step and add build commands that are suitable for your repository. The workflow run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.

- run: |
  make bootstrap
  make release

For more information about the run keyword, see "Workflow syntax for GitHub Actions."

If your repository contains multiple compiled languages, you can specify language-specific build commands. For example, if your repository contains C/C++, C# and Java, and autobuild correctly builds C/C++ and C# but fails to build Java, you could use the following configuration in your workflow, after the init step. This specifies build steps for Java while still using autobuild for C/C++ and C#:

- if: matrix.language == 'cpp' || matrix.language == 'csharp' 
  name: Autobuild
  uses: github/codeql-action/autobuild@v1

- if: matrix.language == 'java' 
  name: Build Java
  run: |
    make bootstrap
    make release

For more information about the if conditional, see "Workflow syntax for GitHub Actions."

For more tips and tricks about why autobuild won't build your code, see "Troubleshooting the CodeQL workflow."

If you added manual build steps for compiled languages and 代� �扫描 is still not working on your repository, contact 您的网站管理员.