Skip to main content

Results are different than expected

If your code scanning results are different than you expected, you can check which configurations are active.

If your code scanning results are different than you expected, you may have both default and advanced setup configured for your repository. When you enable default setup, this disables the existing CodeQL workflow file and blocks any CodeQL API analysis from uploading results.

To check if default setup is enabled, navigate to the main page of the repository, then click Settings. In the "Security" section of the sidebar, click Code security and analysis. In the "Code scanning" section of the page, next to "CodeQL analysis", click . If there is a Switch to advanced option, you are currently using default setup.

If you want to return to using advanced setup and get code scanning results from your custom workflow file, click Disable CodeQL to disable default setup. Then you should re-enable your pre-existing workflows to start triggering and uploading results from advanced setup. For more information, see "Disabling and enabling a workflow" and "Configuring advanced setup for code scanning."

In some cases, your repository may use multiple code scanning configurations. These configurations can generate duplicate alerts. Additionally, stale configurations that no longer run will display outdated alert statuses, and the stale alerts will stay open indefinitely. To avoid outdated alerts, you should remove stale code scanning configurations from a branch. For more information on multiple configurations and deleting stale configurations, see "About code scanning alerts" and "Managing code scanning alerts for your repository."