About CodeQL code scanning for compiled languages

Understand how CodeQL analyzes compiled languages, the build options available, and learn how you can customize the database generation process if you need to.

谁可以使用此功能?

具有写入访问权限的用户 if advanced setup is already enabled

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

本文内容

About the CodeQL 分析工作流程 and compiled languages

Code scanning works by running queries against one or more CodeQL databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages C/C++、C#、Go、Java、Kotlin、Rust(公共预览版)、和 Swift, the process of populating this database often involves building the code and extracting data.

When you enable code scanning, both default and advanced setup generate a CodeQL database for analysis using the simplest method available. For C# 和 Java, the CodeQL database is generated directly from the codebase without requiring a build (none build mode). For other compiled languages, CodeQL builds the codebase using the autobuild build mode. Alternatively, you can use the manual build mode to specify explicit build commands to analyze only the files that are built by these custom commands.

You can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. See About dependency caching for CodeQL later in this article.

CodeQL build modes

The CodeQL action supports three different build modes for compiled languages:

  • none - the CodeQL database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for C# 和 Java).
  • autobuild - CodeQL detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for C/C++、C#、Go、Java、Kotlin 和 Swift).
  • manual - you define the build steps to use for the codebase in the workflow (supported for C/C++、C#、Go、Java、Kotlin 和 Swift).

For language-specific autobuild behavior, runner requirements, and guidance for manual builds, see CodeQL build options and steps for compiled languages.

About dependency caching for CodeQL

You can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see 依赖项缓存参考.

Dependency caching works with all build modes, and is supported by Java、Go 和 C#.

注意

Using dependency caching will store CodeQL-specific caches that will be subject to cache quotas for a repository. See 依赖项缓存参考.