8.9 KiB
title, shortTitle, intro, product, permissions, redirect_from, versions, type, topics
| title | shortTitle | intro | product | permissions | redirect_from | versions | type | topics | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring the CodeQL workflow for compiled languages | Configuring for compiled languages | You can configure how {% data variables.product.prodname_dotcom %} uses the {% data variables.product.prodname_codeql_workflow %} to scan code written in compiled languages for vulnerabilities and errors. | {% data reusables.gated-features.code-scanning %} | If you have write permissions to a repository, you can configure {% data variables.product.prodname_code_scanning %} for that repository. |
|
|
how_to |
|
{% data reusables.code-scanning.beta %} {% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
About the {% data variables.product.prodname_codeql_workflow %} and compiled languages
You set up {% data variables.product.prodname_dotcom %} to run {% data variables.product.prodname_code_scanning %} for your repository by adding a {% data variables.product.prodname_actions %} workflow to the repository. For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you add the {% data variables.product.prodname_codeql_workflow %}. For more information, see "Setting up {% data variables.product.prodname_code_scanning %} for a repository."
{% data reusables.code-scanning.edit-workflow %} For general information about configuring {% data variables.product.prodname_code_scanning %} and editing workflow files, see "Configuring {% data variables.product.prodname_code_scanning %}" and "Learn {% data variables.product.prodname_actions %}."
About autobuild for {% data variables.product.prodname_codeql %}
Code scanning works by running queries against one or more databases. Each database contains a representation of all of the code in a single language in your repository. For the compiled languages C/C++, C#, and Java, the process of populating this database involves building the code and extracting data. {% data reusables.code-scanning.analyze-go %}
{% data reusables.code-scanning.autobuild-compiled-languages %}
If your workflow uses a language matrix, autobuild attempts to build each of the compiled languages listed in the matrix. Without a matrix autobuild attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
{% note %}
{% if currentVersion == "github-ae@latest" %}Note: For instructions on how to make sure your {% data variables.actions.hosted_runner %} has the required software installed, see "Creating custom images."
{% else %}
Note: If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the autobuild process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. For more information, see "Specifications for {% data variables.product.prodname_dotcom %}-hosted runners".
{% endif %}
{% endnote %}
C/C++
| Supported system type | System name |
|---|---|
| Operating system | Windows, macOS, and Linux |
| Build system | Windows: MSbuild and build scripts Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts |
The behavior of the autobuild step varies according to the operating system that the extraction runs on. On Windows, the autobuild step attempts to autodetect a suitable build method for C/C++ using the following approach:
- Invoke
MSBuild.exeon the solution (.sln) or project (.vcxproj) file closest to the root. Ifautobuilddetects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them. - Invoke a script that looks like a build script—build.bat, build.cmd, and build.exe (in that order).
On Linux and macOS, the autobuild step reviews the files present in the repository to determine the build system used:
- Look for a build system in the root directory.
- If none are found, search subdirectories for a unique directory with a build system for C/C++.
- Run an appropriate command to configure the system.
C#
| Supported system type | System name |
|---|---|
| Operating system | Windows and Linux |
| Build system | .NET and MSbuild, as well as build scripts |
The autobuild process attempts to autodetect a suitable build method for C# using the following approach:
- Invoke
dotnet buildon the solution (.sln) or project (.csproj) file closest to the root. - Invoke
MSbuild(Linux) orMSBuild.exe(Windows) on the solution or project file closest to the root. Ifautobuilddetects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them. - Invoke a script that looks like a build script—build and build.sh (in that order, for Linux) or build.bat, build.cmd, and build.exe (in that order, for Windows).
Java
| Supported system type | System name |
|---|---|
| Operating system | Windows, macOS, and Linux (no restriction) |
| Build system | Gradle, Maven and Ant |
The autobuild process tries to determine the build system for Java codebases by applying this strategy:
- Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
- Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
- Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.
Adding build steps for a compiled language
{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "Configuring {% data variables.product.prodname_code_scanning %}."
After removing the autobuild step, uncomment the run step and add build commands that are suitable for your repository. The workflow run step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.
- run: |
make bootstrap
make release
For more information about the run keyword, see "Workflow syntax for {% data variables.product.prodname_actions %}."
If your repository contains multiple compiled languages, you can specify language-specific build commands. For example, if your repository contains C/C++, C# and Java, and autobuild correctly builds C/C++ and C# but fails to build Java, you could use the following configuration in your workflow, after the init step. This specifies build steps for Java while still using autobuild for C/C++ and C#:
- if: matrix.language == 'cpp' || matrix.language == 'csharp'
name: Autobuild
uses: github/codeql-action/autobuild@v1
- if: matrix.language == 'java'
name: Build Java
run: |
make bootstrap
make release
For more information about the if conditional, see "Workflow syntax for GitHub Actions."
For more tips and tricks about why autobuild won't build your code, see "Troubleshooting the {% data variables.product.prodname_codeql %} workflow."
If you added manual build steps for compiled languages and {% data variables.product.prodname_code_scanning %} is still not working on your repository, contact {% data variables.contact.contact_support %}.