Note: Code scanning is currently in beta and subject to change. If your organization has an Advanced Security license, you can join the beta program.
Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. If you want to use GitHub Actions to scan your code, the site administrator must also enable GitHub Actions and set up the infrastructure required. For more information, see "Configuring code scanning for your appliance."
If an automatic build of code for a compiled language within your project fails, try the following troubleshooting steps.
autobuildstep from your code scanning workflow and add specific build steps. For information about editing the workflow, see "Configuring code scanning." For more information about replacing the
autobuildstep, see "Configuring the CodeQL workflow for compiled languages."
If your workflow doesn't explicitly specify the languages to analyze, CodeQL implicitly detects the supported languages in your code base. In this configuration, out of the compiled languages C/C++, C#, and Java, CodeQL only analyzes the language with the most source files. Edit the workflow and add a build matrix specifying the languages you want to analyze. The default CodeQL analysis workflow uses such a matrix.
The following extracts from a workflow show how you can use a matrix within the job strategy to specify languages, and then reference each language within the "Initialize CodeQL" step:
For more information about editing the workflow, see "Configuring code scanning."
If your workflow fails with an error
No source code was seen during the build or
The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32, this indicates that CodeQL was unable to monitor your code. Several reasons can explain such a failure:
Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a
.gypfile, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the
For more information, see the workflow extract in "Automatic build for a compiled language fails" above.
Your code scanning workflow is analyzing a compiled language (C, C++, C#, or Java), but the code was not compiled. By default, the CodeQL analysis workflow contains an
autobuildstep, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the
autobuildstep and did not include build steps manually. For more information about specifying build steps, see "Configuring the CodeQL workflow for compiled languages."
Your workflow is analyzing a compiled language (C, C++, C#, or Java), but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since CodeQL observes the activity of the compiler to understand the data flows in a repository, CodeQL requires a complete build to take place in order to perform analysis.
Your workflow is analyzing a compiled language (C, C++, C#, or Java), but compilation does not occur between the
analyzesteps in the workflow. CodeQL requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis.
Your compiled code (in C, C++, C#, or Java) was compiled successfully, but CodeQL was unable to detect the compiler invocations. The most common causes are certain configuration options like running your build process in a container, if you're building using a distributed build system external to GitHub Actions using a daemon process, or if CodeQL isn't aware of the specific compiler you are using.
For C# projects using either
msbuildwhich target .NET Core 2, you should specify
/p:UseSharedCompilation=falsein your workflow's
runstep, when you build your code. The
UseSharedCompilationflag isn't necessary for .NET Core 3.0 and later.
For example, the following configuration for C# will pass the flag during the first build step.
- run: | dotnet build /p:UseSharedCompilation=false
If you encounter another problem with your specific compiler or configuration, contact your GitHub Enterprise site administrator.
For more information about specifying build steps, see "Configuring the CodeQL workflow for compiled languages."
autobuild feature uses heuristics to build the code in a repository, however, sometimes this approach results in incomplete analysis of a repository. For example, when multiple
build.sh commands exist in a single repository, the analysis may not complete since the
autobuild step will only execute one of the commands. The solution is to replace the
autobuild step with build steps which build all of the source code which you wish to analyze. For more information, see "Configuring the CodeQL workflow for compiled languages."
If the run of a workflow for code scanning fails due to a server error, try running the workflow again. If the problem persists, contact your GitHub Enterprise site administrator.
On very large projects, CodeQL may run out of disk or memory on the runner. If you encounter this issue, try increasing the memory on the runner.
If your build with CodeQL analysis takes too long to run, there are several approaches you can try to reduce the build time.
If you use self-hosted runners to run CodeQL analysis, you can increase the memory or the number of cores on those runners.
The default CodeQL analysis workflow uses a build matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see the workflow extract in "Automatic build for a compiled language fails" above.
Analysis time is typically proportional to the amount of code being analyzed. You can reduce the analysis time by reducing the amount of code being analyzed at once, for example, by excluding test code, or breaking analysis into multiple workflows that analyze only a subset of your code at a time.
For compiled languages like Java, C, C++, and C#, CodeQL analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a
run block. You can combine specifying your own build steps with using the
paths-ignore filters on the
push events to ensure that your workflow only runs when specific code is changed. For more information, see "Workflow syntax for GitHub Actions."
If you split your analysis into multiple workflows as described above, we still recommend that you have at least one workflow which runs on a
schedule which analyzes all of the code in your repository. Because CodeQL analyzes data flows between components, some complex security behaviors may only be detected on a complete build.
If your analysis is still too slow to be run during
pull_request events, then you may want to only trigger analysis on the
schedule event. For more information, see "Events."