Note: This article describes the features available with the version of the CodeQL action and associated CodeQL CLI bundle included in the initial release of this version of GitHub Enterprise Server. If your enterprise uses a more recent version of the CodeQL action, see the GitHub Enterprise Cloud version of this article for information on the latest features. For information on using the latest version, see "Configuring code scanning for your appliance."
If your build with CodeQL analysis takes too long to run, there are several approaches you can try to reduce the build time.
Increase the memory or cores
If you use self-hosted runners to run CodeQL analysis, you can increase the memory or the number of cores on those runners.
Use matrix builds to parallelize the analysis
The default CodeQL analysis workflow uses a matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see the workflow extract in "Automatic build for a compiled language fails" above.
Reduce the amount of code being analyzed in a single workflow
Analysis time is typically proportional to the amount of code being analyzed. You can reduce the analysis time by reducing the amount of code being analyzed at once, for example, by excluding test code, or breaking analysis into multiple workflows that analyze only a subset of your code at a time.
For compiled languages like Java, C, C++, and C#, CodeQL analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a run
block. You can combine specifying your own build steps with using the paths
or paths-ignore
filters on the pull_request
and push
events to ensure that your workflow only runs when specific code is changed. For more information, see "Workflow syntax for GitHub Actions."
For languages like Go, JavaScript, Python, and TypeScript, that CodeQL analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "Customizing code scanning."
If you split your analysis into multiple workflows as described above, we still recommend that you have at least one workflow which runs on a schedule
which analyzes all of the code in your repository. Because CodeQL analyzes data flows between components, some complex security behaviors may only be detected on a complete build.
Run only during a schedule
event
If your analysis is still too slow to be run during push
or pull_request
events, then you may want to only trigger analysis on the schedule
event. For more information, see "Understanding GitHub Actions."
Check which query suites the workflow runs
By default, there are three main query suites available for each language. If you have optimized the CodeQL database build and the process is still too long, you could reduce the number of queries you run. The default query suite is run automatically; it contains the fastest security queries with the lowest rates of false positive results.
You may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the queries
element. You can experiment with disabling the additional query suite or queries. For more information, see "Customizing code scanning."