对编译语言进行 CodeQL 代码扫描

了解 CodeQL 如何分析已编译语言、提供哪些生成选项,以及如何在需要时自定义数据库生成流程。

谁可以使用此功能?

具有写入访问权限的用户 if advanced setup is already enabled

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

本文内容

Compare build modes

Build mode characteristicNoneAutobuildManual
Used by default setup and for organization-level enablementYes (C/C++, C#, Java and Rust)Yes, where none is not supportedNo
Analysis succeeds without user configurationYesVariableNo
Completeness of analysisGenerated code not analyzedVariableUser controlled
Accuracy of analysisGoodGoodBest

Choose a build mode

When you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.

For language-specific autobuild behavior, runner requirements, and build-mode details for compiled languages, see CodeQL build options and steps for compiled languages.

Use multiple build modes in a multi-language repository

For repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.

strategy:
  matrix:
    include:
      # Analyzes C and C++ code using the commands in `Build C and C++ code`
      - language: c-cpp
        build-mode: manual
      # Analyzes C# code by automatically detecting a build
      - language: csharp
        build-mode: autobuild
      # Analyzes Java code directly from the codebase without a build
      - language: java-kotlin
        build-mode: none # analyzes Java only
steps:
- name: Checkout repository
  uses: actions/checkout@v5

# Initializes CodeQL tools and creates a codebase for analysis.
- name: Initialize CodeQL
  uses: github/codeql-action/init@v4
  with:
    languages: ${{ matrix.language }}
- if: ${{ matrix.build-mode == 'manual' }}
  name: Build C and C++ code
  run: |
    echo 'If you are using a "manual" build mode for one or more of the' \
      'languages you are analyzing, replace this with the commands to build' \
      'your code, for example:'
    echo ' make bootstrap'
    echo ' make release'
    exit 1

For information about the languages, libraries, and frameworks that are supported in the latest version of CodeQL, see Supported languages and frameworks in the CodeQL documentation. For information about the system requirements for running the latest version of CodeQL, see System requirements in the CodeQL documentation.

Enable dependency caching for CodeQL

For default setup workflows, dependency caching is enabled only for GitHub-hosted runners in public and private repositories.

For advanced setup workflows, dependency caching is disabled by default. To enable dependency caching for CodeQL, use the dependency-caching setting for the CodeQL action in your advanced setup workflow. This setting accepts the following values:

  • false/none/off: Dependency caching is disabled (default)
  • restore: Only restore existing caches, do not store new caches
  • store: Only store new caches, do not restore existing caches
  • true/full/on: Restore existing caches, and store new caches

For example, the following settings would enable dependency caching for the CodeQL action:

    # Initializes CodeQL with dependency caching enabled
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        languages: java
        dependency-caching: true

Use none build mode for CodeQL

For C/C++, C#, Java and Rust, CodeQL creates a database without requiring a build when you enable default setup for code scanning unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.

Creating a CodeQL database without a build may produce less accurate results than using autobuild or manual build steps if:

  • The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.
  • The repository normally generates code during the build process.

To use autobuild or manual build steps, you can use advanced setup.

注意

For Java analysis, if build-mode is set to none and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See CodeQL build options and steps for compiled languages.

Use autobuild for CodeQL

The CodeQL action uses autobuild to analyze compiled languages in the following cases.

  • Default setup is enabled and the language does not support none build (supported for C/C++, C#, Java and Rust).
  • Advanced setup is enabled and the workflow specifies build-mode: autobuild.
  • Advanced setup is enabled and the workflow has an Autobuild step for the language using the autobuild action (github/codeql-action/autobuild@v4).

Use the build-mode option

# Initializes the CodeQL tools for scanning.
name: Analyze
strategy:
  matrix:
    include:
      # Analyze C and C++ code
      - language: c-cpp
        build-mode: autobuild
      # Analyze Go code
      - language: go
        build-mode: autobuild

steps:
  - uses: github/codeql-action/init@v4
    with:
      languages: ${{ matrix.language }}
      build-mode: ${{ matrix.build-mode }}

Use the Autobuild step

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@v4

Specify build steps manually

You can only specify manual build steps if you have enabled advanced setup, see Configuring advanced setup for code scanning.

If autobuild fails, or you want to analyze a different set of source files from those built by the autobuild process, you'll need to do the following:

  • If your workflow specifies a build mode for the language, change the build mode to manual.
  • If your workflow contains an autobuild step, remove or comment out the autobuild step in the workflow.

Then uncomment the run step and manually specify the build process to use. For C/C++, C#, Go, Java, Kotlin, and Swift, CodeQL will analyze whatever source code is built by your specified build steps.

Update your workflow to define the build-mode as manual.

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v4
  with:
    languages: ${{ matrix.language }}
    build-mode: manual
- uses: github/codeql-action/analyze@v4
  with:
    category: "/language:${{ matrix.language }}"

Alternatively, update your workflow to comment out the "Autobuild" step.

    # Autobuild attempts to build any compiled languages.
    # - name: Autobuild
    #  uses: github/codeql-action/autobuild@v4

Add build commands

When manual building is enabled, uncomment the run step in the workflow and add build commands that are suitable for your repository. The run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.

- run: |
    make bootstrap
    make release

For more information about the run keyword, see Workflow syntax for GitHub Actions.

If you added manual build steps for compiled languages and code scanning is still not working on your repository, contact us through the GitHub Support portal.