Skip to main content
Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.

Esta versión de GitHub Enterprise se discontinuó el 2022-06-03. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener un mejor desempeño, más seguridad y nuevas características, actualiza a la última versión de GitHub Enterprise. Para obtener ayuda con la actualización, contacta al soporte de GitHub Enterprise.

Configuring the CodeQL workflow for compiled languages

You can configure how GitHub uses the Flujo de trabajo de análisis de CodeQL to scan code written in compiled languages for vulnerabilities and errors.

If you have write permissions to a repository, you can configure escaneo de código for that repository.

El Escaneo de código se encuentra disponible para los repositorios que pertenecen a organizaciones donde se habilitó el GitHub Advanced Security. Para obtener más información, consulta la sección "Acerca de GitHub Advanced Security".

Nota: Tu administrador de sitio debe habilitar el escaneo de código para tu instancia de GitHub Enterprise Server antes de que puedas utilizar esta característica. Si quieres utilizar GitHub Actions para escanear tu código, el administrador de sitio también puede habilitar las GitHub Actions y configurar la infraestructura que se requiera. Para obtener más información, consulta "Configurar el escaneo de código en tu aplicativo."

About the Flujo de trabajo de análisis de CodeQL and compiled languages

You set up GitHub to run escaneo de código for your repository by adding a GitHub Actions workflow to the repository. For CodeQL escaneo de código, you add the Flujo de trabajo de análisis de CodeQL. For more information, see "Setting up escaneo de código for a repository."

Typically, you don't need to edit the default workflow for escaneo de código. However, if required, you can edit the workflow to customize some of the settings. For example, you can edit GitHub's Flujo de trabajo de análisis de CodeQL to specify the frequency of scans, the languages or directories to scan, and what CodeQL escaneo de código looks for in your code. You might also need to edit the Flujo de trabajo de análisis de CodeQL if you use a specific set of commands to compile your code. For general information about configuring escaneo de código and editing workflow files, see "Configuring escaneo de código" and "Learn GitHub Actions."

About autobuild for CodeQL

Code scanning works by running queries against one or more databases. Each database contains a representation of all of the code in a single language in your repository. For the compiled languages C/C++, C#, and Java, the process of populating this database involves building the code and extracting data. CodeQL también ejecuta una compilación para que los proyectos de Go configuren el proyecto. Sin embargo, en contraste con el resto de los lenguajes compilados, todos los archivos de Go en el repositorio se extraen, y no únicamente aquellos que se compilaron. Puedes utilizar comandos personalizados de compilación para saltarte la extracción de archivos de Go que no haya tocado la compilación.

Para los lenguajes compilados compatibles, puedes utilizar la acción de autobuild en el Flujo de trabajo de análisis de CodeQL para compilar tu código. Esto te evita tener que especificar los comandos de compilación explícitos paraC/C++, C#, y Java.

If your workflow uses a language matrix, autobuild attempts to build each of the compiled languages listed in the matrix. Without a matrix autobuild attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.

Note: If you use self-hosted runners for GitHub Actions, you may need to install additional software to use the autobuild process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. For more information, see "Specifications for GitHub-hosted runners".

C/C++

Supported system typeSystem name
Operating systemWindows, macOS, and Linux
Build systemWindows: MSbuild and build scripts
Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts

The behavior of the autobuild step varies according to the operating system that the extraction runs on. On Windows, the autobuild step attempts to autodetect a suitable build method for C/C++ using the following approach:

  1. Invoke MSBuild.exe on the solution (.sln) or project (.vcxproj) file closest to the root. If autobuild detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
  2. Invoke a script that looks like a build script—build.bat, build.cmd, and build.exe (in that order).

On Linux and macOS, the autobuild step reviews the files present in the repository to determine the build system used:

  1. Look for a build system in the root directory.
  2. If none are found, search subdirectories for a unique directory with a build system for C/C++.
  3. Run an appropriate command to configure the system.

C#

Supported system typeSystem name
Operating systemWindows and Linux
Build system.NET and MSbuild, as well as build scripts

The autobuild process attempts to autodetect a suitable build method for C# using the following approach:

  1. Invoke dotnet build on the solution (.sln) or project (.csproj) file closest to the root.
  2. Invoke MSbuild (Linux) or MSBuild.exe (Windows) on the solution or project file closest to the root. If autobuild detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
  3. Invoke a script that looks like a build script—build and build.sh (in that order, for Linux) or build.bat, build.cmd, and build.exe (in that order, for Windows).

Java

Supported system typeSystem name
Operating systemWindows, macOS, and Linux (no restriction)
Build systemGradle, Maven and Ant

The autobuild process tries to determine the build system for Java codebases by applying this strategy:

  1. Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
  2. Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
  3. Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.

Adding build steps for a compiled language

Si el código de C/C++, C# o de Java en tu repositorio tiene un proceso de compilación diferente al estándar, el autobuild podría fallar. Necesitarás eliminar el paso de autobuild del flujo de trabajo y agregar los pasos de compilación manualmente. Si quieres especificar qué archivos de Go se deben extraer de tu repositorio, necesitarás agregar pasos de compilación. For information on how to edit the workflow file, see "Configuring escaneo de código."

After removing the autobuild step, uncomment the run step and add build commands that are suitable for your repository. The workflow run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.

- run: |
  make bootstrap
  make release

For more information about the run keyword, see "Workflow syntax for GitHub Actions."

If your repository contains multiple compiled languages, you can specify language-specific build commands. For example, if your repository contains C/C++, C# and Java, and autobuild correctly builds C/C++ and C# but fails to build Java, you could use the following configuration in your workflow, after the init step. This specifies build steps for Java while still using autobuild for C/C++ and C#:

- if: matrix.language == 'cpp' || matrix.language == 'csharp' 
  name: Autobuild
  uses: github/codeql-action/autobuild@v1

- if: matrix.language == 'java' 
  name: Build Java
  run: |
    make bootstrap
    make release

For more information about the if conditional, see "Workflow syntax for GitHub Actions."

For more tips and tricks about why autobuild won't build your code, see "Troubleshooting the CodeQL workflow."

If you added manual build steps for compiled languages and escaneo de código is still not working on your repository, contact tu administrador de sitio.