Nota:
El administrador del sitio debe habilitar code scanning antes de que puedas utilizar esta característica. Si quieres utilizar GitHub Actions para escanear tu código, el administrador de sitio también puede habilitar las GitHub Actions y configurar la infraestructura que se requiera. Para más información, consulta Configuración la digitalización de código para el dispositivo.
Compare build modes
| Build mode characteristic | None | Autobuild | Manual |
|---|---|---|---|
| Used by default setup and for organization-level enablement | Yes (C/C++, C#, Java y Rust) | Yes, where none is not supported | No |
| Analysis succeeds without user configuration | Yes | Variable | No |
| Completeness of analysis | Generated code not analyzed | Variable | User controlled |
| Accuracy of analysis | Good | Good | Best |
Choose a build mode
When you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.
For language-specific autobuild behavior, runner requirements, and build-mode details for compiled languages, see Opciones y pasos de compilación de CodeQL para lenguajes compilados.
Use multiple build modes in a multi-language repository
For repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.
strategy:
matrix:
include:
# Analyzes C and C++ code using the commands in `Build C and C++ code`
- language: c-cpp
build-mode: manual
# Analyzes C# code by automatically detecting a build
- language: csharp
build-mode: autobuild
# Analyzes Java code directly from the codebase without a build
- language: java-kotlin
build-mode: none # analyzes Java only
steps:
- name: Checkout repository
uses: actions/checkout@v5
# Initializes CodeQL tools and creates a codebase for analysis.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
- if: ${{ matrix.build-mode == 'manual' }}
name: Build C and C++ code
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
For information about the languages, libraries, and frameworks that are supported in the latest version of CodeQL, see Supported languages and frameworks in the CodeQL documentation. For information about the system requirements for running the latest version of CodeQL, see System requirements in the CodeQL documentation.
Enable dependency caching for CodeQL
For default setup workflows, dependency caching is enabled only for GitHub-hosted runners in public and private repositories.
For advanced setup workflows, dependency caching is disabled by default. To enable dependency caching for CodeQL, use the dependency-caching setting for the CodeQL action in your advanced setup workflow. This setting accepts the following values:
false/none/off: Dependency caching is disabled (default)restore: Only restore existing caches, do not store new cachesstore: Only store new caches, do not restore existing cachestrue/full/on: Restore existing caches, and store new caches
For example, the following settings would enable dependency caching for the CodeQL action:
# Initializes CodeQL with dependency caching enabled
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: java
dependency-caching: true
Use none build mode for CodeQL
For C/C++, C#, Java y Rust, CodeQL creates a database without requiring a build when you enable default setup for code scanning unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.
Creating a CodeQL database without a build may produce less accurate results than using autobuild or manual build steps if:
- The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.
- The repository normally generates code during the build process.
To use autobuild or manual build steps, you can use advanced setup.
Nota:
For Java analysis, if build-mode is set to none and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See Opciones y pasos de compilación de CodeQL para lenguajes compilados.
Use autobuild for CodeQL
The CodeQL action uses autobuild to analyze compiled languages in the following cases.
- Default setup is enabled and the language does not support
nonebuild (supported for C/C++, C#, Java y Rust). - Advanced setup is enabled and the workflow specifies
build-mode: autobuild. - Advanced setup is enabled and the workflow has an Autobuild step for the language using the
autobuildaction (github/codeql-action/autobuild@v4).
Use the build-mode option
# Initializes the CodeQL tools for scanning.
name: Analyze
strategy:
matrix:
include:
# Analyze C and C++ code
- language: c-cpp
build-mode: autobuild
# Analyze Go code
- language: go
build-mode: autobuild
steps:
- uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Use the Autobuild step
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v4
Specify build steps manually
You can only specify manual build steps if you have enabled advanced setup, see Configuring advanced setup for code scanning.
Si se produce un error en autobuild, o si quieres analizar otro conjunto de archivos de origen de los compilados por el proceso autobuild, tendrás que hacer lo siguiente:
- Si el flujo de trabajo especifica un modo de compilación para el lenguaje, cambie el modo de compilación a
manual. - Si el flujo de trabajo contiene un paso
autobuild, elimine o convierta en comentario el pasoautobuilden el flujo de trabajo.
Después, quita la marca de comentario del paso run y especifica manualmente el proceso de compilación que se va a usar. Para C/C++, C#, Go, Java, Kotlin y Swift, CodeQL analizará cualquier código fuente generado por los pasos de compilación que hayas especificado.
Update your workflow to define the build-mode as manual.
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: manual
- uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
Alternatively, update your workflow to comment out the "Autobuild" step.
# Autobuild attempts to build any compiled languages.
# - name: Autobuild
# uses: github/codeql-action/autobuild@v4
Add build commands
When manual building is enabled, uncomment the run step in the workflow and add build commands that are suitable for your repository. The run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.
- run: |
make bootstrap
make release
For more information about the run keyword, see Sintaxis del flujo de trabajo para GitHub Actions.
If you added manual build steps for compiled languages and code scanning is still not working on your repository, contact el administrador del sitio.