English
No results found.

Explore by product

Code security
English
Article version: GitHub.com
Article version: GitHub.com

Troubleshooting the CodeQL workflow

If you're having problems with code scanning, you can troubleshoot by using these tips for resolving issues.

Code scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

In this article

Note: For private and internal repositories, code scanning is available when GitHub Advanced Security features are enabled for the repository. If you see the error Advanced Security must be enabled for this repository to use code scanning, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository."

Producing detailed logs for debugging

To produce more detailed logging output, you can enable step debug logging. For more information, see "Enabling debug logging."

Automatic build for a compiled language fails

If an automatic build of code for a compiled language within your project fails, try the following troubleshooting steps.

  • Remove the autobuild step from your code scanning workflow and add specific build steps. For information about editing the workflow, see "Configuring code scanning." For more information about replacing the autobuild step, see "Configuring the CodeQL workflow for compiled languages."

  • If your workflow doesn't explicitly specify the languages to analyze, CodeQL implicitly detects the supported languages in your code base. In this configuration, out of the compiled languages C/C++, C#, and Java, CodeQL only analyzes the language with the most source files. Edit the workflow and add a build matrix specifying the languages you want to analyze. The default CodeQL analysis workflow uses such a matrix.

    The following extracts from a workflow show how you can use a matrix within the job strategy to specify languages, and then reference each language within the "Initialize CodeQL" step:

    jobs:
  analyze:
    permissions:
      security-events: write
      actions: read
    ...
    strategy:
      fail-fast: false
      matrix:
        language: ['csharp', 'cpp', 'javascript']

    steps:
    ...
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
        with:
          languages: ${{ matrix.language }}

    For more information about editing the workflow, see "Configuring code scanning."

No code found during the build

If your workflow fails with an error No source code was seen during the build or The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32, this indicates that CodeQL was unable to monitor your code. Several reasons can explain such a failure:

  1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a .h, or .gyp file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the language matrix. For example, the following configuration will analyze only Go, and JavaScript.

    strategy:
  fail-fast: false
  matrix:
    # Override automatic language detection by changing the list below
    # Supported options are:
    # ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
    language: ['go', 'javascript']

    For more information, see the workflow extract in "Automatic build for a compiled language fails" above.

  2. Your code scanning workflow is analyzing a compiled language (C, C++, C#, or Java), but the code was not compiled. By default, the CodeQL analysis workflow contains an autobuild step, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the autobuild step and did not include build steps manually. For more information about specifying build steps, see "Configuring the CodeQL workflow for compiled languages."

  3. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since CodeQL observes the activity of the compiler to understand the data flows in a repository, CodeQL requires a complete build to take place in order to perform analysis.

  4. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but compilation does not occur between the init and analyze steps in the workflow. CodeQL requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis.

  5. Your compiled code (in C, C++, C#, or Java) was compiled successfully, but CodeQL was unable to detect the compiler invocations. The most common causes are:

    • Running your build process in a separate container to CodeQL. For more information, see "Running CodeQL code scanning in a container."
    • Building using a distributed build system external to GitHub Actions, using a daemon process.
    • CodeQL isn't aware of the specific compiler you are using.

    For .NET Framework projects, and for C# projects using either dotnet build or msbuild that target .NET Core 2, you should specify /p:UseSharedCompilation=false in your workflow's run step, when you build your code. The UseSharedCompilation flag isn't necessary for .NET Core 3.0 and later.

    For example, the following configuration for C# will pass the flag during the first build step.

    - run: |
    dotnet build /p:UseSharedCompilation=false

    If you encounter another problem with your specific compiler or configuration, contact GitHub Support.

For more information about specifying build steps, see "Configuring the CodeQL workflow for compiled languages."

Lines of code scanned are lower than expected

For compiled languages like C/C++, C#, Go, and Java, CodeQL only scans files that are built during the analysis. Therefore the number of lines of code scanned will be lower than expected if some of the source code isn't compiled correctly. This can happen for several reasons:

  1. The CodeQL autobuild feature uses heuristics to build the code in a repository. However, sometimes this approach results in an incomplete analysis of a repository. For example, when multiple build.sh commands exist in a single repository, the analysis may not be complete since the autobuild step will only execute one of the commands, and therefore some source files may not be compiled.
  2. Some compilers do not work with CodeQL and can cause issues while analyzing the code. For example, Project Lombok uses non-public compiler APIs to modify compiler behavior. The assumptions used in these compiler modifications are not valid for CodeQL's Java extractor, so the code cannot be analyzed.

If your CodeQL analysis scans fewer lines of code than expected, there are several approaches you can try to make sure all the necessary source files are compiled.

Replace the autobuild step

Replace the autobuild step with the same build commands you would use in production. This makes sure that CodeQL knows exactly how to compile all of the source files you want to scan. For more information, see "Configuring the CodeQL workflow for compiled languages."

Inspect the copy of the source files in the CodeQL database

You may be able to understand why some source files haven't been analyzed by inspecting the copy of the source code included with the CodeQL database. To obtain the database from your Actions workflow, add an upload-artifact action after the analysis step in your code scanning workflow:

- uses: actions/upload-artifact@v2
  with:
    name: codeql-database
    path: ../codeql-database

This uploads the database as an actions artifact that you can download to your local machine. For more information, see "Storing workflow artifacts."

The artifact will contain an archived copy of the source files scanned by CodeQL called src.zip. If you compare the source code files in the repository and the files in src.zip, you can see which types of file are missing. Once you know what types of file are not being analyzed, it is easier to understand how you may need to change the workflow for CodeQL analysis.

Extraction errors in the database

The CodeQL team constantly works on critical extraction errors to make sure that all source files can be scanned. However, the CodeQL extractors do occasionally generate errors during database creation. CodeQL provides information about extraction errors and warnings generated during database creation in a log file. The extraction diagnostics information gives an indication of overall database health. Most extractor errors do not significantly impact the analysis. A small number of extractor errors is healthy and typically indicates a good state of analysis.

However, if you see extractor errors in the overwhelming majority of files that were compiled during database creation, you should look into the errors in more detail to try to understand why some source files weren't extracted properly.

The build takes too long

If your build with CodeQL analysis takes too long to run, there are several approaches you can try to reduce the build time.

Increase the memory or cores

If you use self-hosted runners to run CodeQL analysis, you can increase the memory or the number of cores on those runners.

Use matrix builds to parallelize the analysis

The default CodeQL analysis workflow uses a build matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see the workflow extract in "Automatic build for a compiled language fails" above.

Reduce the amount of code being analyzed in a single workflow

Analysis time is typically proportional to the amount of code being analyzed. You can reduce the analysis time by reducing the amount of code being analyzed at once, for example, by excluding test code, or breaking analysis into multiple workflows that analyze only a subset of your code at a time.

For compiled languages like Java, C, C++, and C#, CodeQL analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a run block. You can combine specifying your own build steps with using the paths or paths-ignore filters on the pull_request and push events to ensure that your workflow only runs when specific code is changed. For more information, see "Workflow syntax for GitHub Actions."

For interpreted languages like Go, JavaScript, Python, and TypeScript, that CodeQL analyzes without a specific build, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "Specifying directories to scan."

If you split your analysis into multiple workflows as described above, we still recommend that you have at least one workflow which runs on a schedule which analyzes all of the code in your repository. Because CodeQL analyzes data flows between components, some complex security behaviors may only be detected on a complete build.

Run only during a schedule event

If your analysis is still too slow to be run during push or pull_request events, then you may want to only trigger analysis on the schedule event. For more information, see "Events."

Results differ between analysis platforms

If you are analyzing code written in Python, you may see different results depending on whether you run the CodeQL analysis workflow on Linux, macOS, or Windows.

On GitHub-hosted runners that use Linux, the CodeQL analysis workflow tries to install and analyze Python dependencies, which could lead to more results. To disable the auto-install, add setup-python-dependencies: false to the "Initialize CodeQL" step of the workflow. For more information about configuring the analysis of Python dependencies, see "Analyzing Python dependencies."

Error: "Server error"

If the run of a workflow for code scanning fails due to a server error, try running the workflow again. If the problem persists, contact GitHub Support.

Error: "Out of disk" or "Out of memory"

On very large projects, CodeQL may run out of disk or memory on the runner. If you encounter this issue on a hosted GitHub Actions runner, contact GitHub Support so that we can investigate the problem.

Error: 403 "Resource not accessible by integration" when using Dependabot

Dependabot is considered untrusted when it triggers a workflow run, and the workflow will run with read-only scopes. Uploading code scanning results for a branch usually requires the security_events: write scope. However, code scanning always allows the uploading of results when the pull_request event triggers the action run. This is why, for Dependabot branches, we recommend you use the pull_request event instead of the push event.

A simple approach is to run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

An alternative approach is to run on all pushes except for Dependabot branches:

on:
  push:
    branches-ignore:
      - 'dependabot/**'
  pull_request:

Analysis still failing on the default branch

If the CodeQL analysis workflow still fails on a commit made on the default branch, you need to check:

  • whether Dependabot authored the commit
  • whether the pull request that includes the commit has been merged using @dependabot squash and merge

This type of merge commit is authored by Dependabot and therefore, any workflows running on the commit will have read-only permissions. If you enabled code scanning and Dependabot security updates or version updates on your repository, we recommend you avoid using the Dependabot @dependabot squash and merge command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "Automatically merging a pull request."

Warning: "git checkout HEAD^2 is no longer necessary"

If you're using an old CodeQL workflow you may get the following warning in the output from the "Initialize CodeQL" action:

Warning: 1 issue was detected with this workflow: git checkout HEAD^2 is no longer 
necessary. Please remove this step as Code Scanning recommends analyzing the merge 
commit for best results.

Fix this by removing the following lines from the CodeQL workflow. These lines were included in the steps section of the Analyze job in initial versions of the CodeQL workflow.

        with:
          # We must fetch at least the immediate parents so that if this is
          # a pull request then we can checkout the head.
          fetch-depth: 2

      # If this run was triggered by a pull request event, then checkout
      # the head of the pull request instead of the merge commit.
      - run: git checkout HEAD^2
        if: ${{ github.event_name == 'pull_request' }}

The revised steps section of the workflow will look like this:

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1

      ...

For more information about editing the CodeQL workflow file, see "Configuring code scanning."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.