Hinweis
Der Websiteadministrator muss code scanning aktivieren, damit du dieses Feature verwenden kannst. Wenn du GitHub Actions zum Überprüfen deines Codes verwenden möchtest, muss der Websiteadministrator auch GitHub Actions aktivieren und die erforderliche Infrastruktur einrichten. Weitere Informationen finden Sie unter Konfigurieren der Codeüberprüfung für Ihre Anwendung.
Compare build modes
| Build mode characteristic | None | Autobuild | Manual |
|---|---|---|---|
| Used by default setup and for organization-level enablement | Yes (C/C++, C#, Java und Rust) | Yes, where none is not supported | No |
| Analysis succeeds without user configuration | Yes | Variable | No |
| Completeness of analysis | Generated code not analyzed | Variable | User controlled |
| Accuracy of analysis | Good | Good | Best |
Choose a build mode
When you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.
For language-specific autobuild behavior, runner requirements, and build-mode details for compiled languages, see CodeQL-Buildoptionen und -schritte für kompilierte Sprachen.
Use multiple build modes in a multi-language repository
For repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.
strategy:
matrix:
include:
# Analyzes C and C++ code using the commands in `Build C and C++ code`
- language: c-cpp
build-mode: manual
# Analyzes C# code by automatically detecting a build
- language: csharp
build-mode: autobuild
# Analyzes Java code directly from the codebase without a build
- language: java-kotlin
build-mode: none # analyzes Java only
steps:
- name: Checkout repository
uses: actions/checkout@v5
# Initializes CodeQL tools and creates a codebase for analysis.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
- if: ${{ matrix.build-mode == 'manual' }}
name: Build C and C++ code
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
For information about the languages, libraries, and frameworks that are supported in the latest version of CodeQL, see Supported languages and frameworks in the CodeQL documentation. For information about the system requirements for running the latest version of CodeQL, see System requirements in the CodeQL documentation.
Enable dependency caching for CodeQL
For default setup workflows, dependency caching is enabled only for GitHub-hosted runners in public and private repositories.
For advanced setup workflows, dependency caching is disabled by default. To enable dependency caching for CodeQL, use the dependency-caching setting for the CodeQL action in your advanced setup workflow. This setting accepts the following values:
false/none/off: Dependency caching is disabled (default)restore: Only restore existing caches, do not store new cachesstore: Only store new caches, do not restore existing cachestrue/full/on: Restore existing caches, and store new caches
For example, the following settings would enable dependency caching for the CodeQL action:
# Initializes CodeQL with dependency caching enabled
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: java
dependency-caching: true
Use none build mode for CodeQL
For C/C++, C#, Java und Rust, CodeQL creates a database without requiring a build when you enable default setup for code scanning unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.
Creating a CodeQL database without a build may produce less accurate results than using autobuild or manual build steps if:
- The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.
- The repository normally generates code during the build process.
To use autobuild or manual build steps, you can use advanced setup.
Hinweis
For Java analysis, if build-mode is set to none and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See CodeQL-Buildoptionen und -schritte für kompilierte Sprachen.
Use autobuild for CodeQL
The CodeQL action uses autobuild to analyze compiled languages in the following cases.
- Default setup is enabled and the language does not support
nonebuild (supported for C/C++, C#, Java und Rust). - Advanced setup is enabled and the workflow specifies
build-mode: autobuild. - Advanced setup is enabled and the workflow has an Autobuild step for the language using the
autobuildaction (github/codeql-action/autobuild@v4).
Use the build-mode option
# Initializes the CodeQL tools for scanning.
name: Analyze
strategy:
matrix:
include:
# Analyze C and C++ code
- language: c-cpp
build-mode: autobuild
# Analyze Go code
- language: go
build-mode: autobuild
steps:
- uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Use the Autobuild step
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v4
Specify build steps manually
You can only specify manual build steps if you have enabled advanced setup, see Configuring advanced setup for code scanning.
Wenn autobuild fehlschlägt oder du eine andere Gruppe von Quelldateien analysieren möchtest, die vom autobuild-Prozess erstellt wurden, musst du die folgenden Schritte ausführen:
- Wenn Ihr Workflow einen Buildmodus für die Sprache angibt, ändern Sie den Buildmodus in
manual. - Wenn Ihr Workflow einen
autobuild-Schritt vorsieht, entfernen Sie denautobuild-Schritt im Workflow oder kommentieren Sie ihn aus.
Hebe dann die Auskommentierung des Schritts run auf, und gib den zu verwendenden Buildprozess manuell an. Für C/C++, C#, Go, Java, Kotlin und Swift analysiert CodeQL, welcher Quellcode von Ihren angegebenen Buildschritten erstellt wird.
Update your workflow to define the build-mode as manual.
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: manual
- uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
Alternatively, update your workflow to comment out the "Autobuild" step.
# Autobuild attempts to build any compiled languages.
# - name: Autobuild
# uses: github/codeql-action/autobuild@v4
Add build commands
When manual building is enabled, uncomment the run step in the workflow and add build commands that are suitable for your repository. The run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.
- run: |
make bootstrap
make release
For more information about the run keyword, see Workflowsyntax für GitHub Actions.
If you added manual build steps for compiled languages and code scanning is still not working on your repository, contact Ihrer Websiteadministratoren.