CodeQL code scanning for compiled languages

Compare build modes

Choose a build mode

When you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.

For language-specific autobuild behavior, runner requirements, and build-mode details for compiled languages, see 컴파일된 언어에 대한 CodeQL 빌드 옵션 및 단계.

Use multiple build modes in a multi-language repository

For repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.

strategy:
  matrix:
    include:
      # Analyzes C and C++ code using the commands in `Build C and C++ code`
      - language: c-cpp
        build-mode: manual
      # Analyzes C# code by automatically detecting a build
      - language: csharp
        build-mode: autobuild
      # Analyzes Java code directly from the codebase without a build
      - language: java-kotlin
        build-mode: none # analyzes Java only
steps:
- name: Checkout repository
  uses: actions/checkout@v5

# Initializes CodeQL tools and creates a codebase for analysis.
- name: Initialize CodeQL
  uses: github/codeql-action/init@v4
  with:
    languages: ${{ matrix.language }}
- if: ${{ matrix.build-mode == 'manual' }}
  name: Build C and C++ code
  run: |
    echo 'If you are using a "manual" build mode for one or more of the' \
      'languages you are analyzing, replace this with the commands to build' \
      'your code, for example:'
    echo ' make bootstrap'
    echo ' make release'
    exit 1

For information about the languages, libraries, and frameworks that are supported in the latest version of CodeQL, see Supported languages and frameworks in the CodeQL documentation. For information about the system requirements for running the latest version of CodeQL, see System requirements in the CodeQL documentation.

Use none build mode for CodeQL

For C# 및 Java, CodeQL creates a database without requiring a build when you enable default setup for code scanning unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.

Creating a CodeQL database without a build may produce less accurate results than using autobuild or manual build steps if:

• The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.
• The repository normally generates code during the build process.

To use autobuild or manual build steps, you can use advanced setup.

Use autobuild for CodeQL

The CodeQL action uses autobuild to analyze compiled languages in the following cases.

• Default setup is enabled and the language does not support none build (supported for C# 및 Java).
• Advanced setup is enabled and the workflow specifies build-mode: autobuild.
• Advanced setup is enabled and the workflow has an Autobuild step for the language using the autobuild action (github/codeql-action/autobuild@v4).

Use the build-mode option

# Initializes the CodeQL tools for scanning.
name: Analyze
strategy:
  matrix:
    include:
      # Analyze C and C++ code
      - language: c-cpp
        build-mode: autobuild
      # Analyze Go code
      - language: go
        build-mode: autobuild

steps:
  - uses: github/codeql-action/init@v4
    with:
      languages: ${{ matrix.language }}
      build-mode: ${{ matrix.build-mode }}

Use the Autobuild step

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@v4

Specify build steps manually

You can only specify manual build steps if you have enabled advanced setup, see Configuring advanced setup for code scanning.

autobuild 가 실패했거나 autobuild 프로세스에서 빌드한 것과는 다른 소스 파일들을 분석하고자 한다면 다음을 수행해야 합니다.

• 워크플로에서 특정 언어에 대한 빌드 모드를 지정했다면, 빌드 모드를 manual로 변경하세요.
• 워크플로에 autobuild 단계가 있는 경우, autobuild 단계를 삭제하거나 주석으로 처리합니다.

다음으로, run 단계의 주석 처리를 제거하고 사용할 빌드 프로세스를 직접 지정합니다. C/C++, C#, Go, Java, Kotlin 및 Swift의 경우 CodeQL은 지정된 빌드 단계에서 빌드된 모든 소스 코드를 분석합니다.

Update your workflow to define the build-mode as manual.

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v4
  with:
    languages: ${{ matrix.language }}
    build-mode: manual
- uses: github/codeql-action/analyze@v4
  with:
    category: "/language:${{ matrix.language }}"

Alternatively, update your workflow to comment out the "Autobuild" step.

    # Autobuild attempts to build any compiled languages.
    # - name: Autobuild
    #  uses: github/codeql-action/autobuild@v4

Add build commands

When manual building is enabled, uncomment the run step in the workflow and add build commands that are suitable for your repository. The run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.

- run: |
    make bootstrap
    make release

For more information about the run keyword, see GitHub Actions에 대한 워크플로 구문.

If you added manual build steps for compiled languages and code scanning is still not working on your repository, contact 사이트 관리자에게 문의.