jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity
Files
5e4b32c59b97d065deaf711d39711060f27ee650
docs/content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-a-container.md
hubwriter de28b750d1 Configure GITHUB_TOKEN permissions (#18348) 
* Add 'permissions' to reference page

* Final set of pre-review changes

* Update content/actions/learn-github-actions/security-hardening-for-github-actions.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update data/reusables/github-actions/workflow-permissions-intro.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update data/reusables/github-actions/publish-to-packages-workflow-step.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/guides/publishing-nodejs-packages.md

* Update content/actions/guides/publishing-java-packages-with-gradle.md

* Update content/actions/guides/publishing-java-packages-with-maven.md

* Update content/actions/guides/publishing-nodejs-packages.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/learn-github-actions/security-hardening-for-github-actions.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository.md

* Update content/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization.md

* Update content/github/setting-up-and-managing-your-enterprise/enforcing-github-actions-policies-in-your-enterprise-account.md

* Update content/packages/guides/using-github-packages-with-github-actions.md

* Make review comment changes (locally)

* Resolve conflicts caused by remotely made review changes

* Remove translation file changes from PR.

* Remove rogue indentation in Important box

* Remove sentence about default being set to restricted.

This *will* be the case for new repos in future,
but that isn't being shipped at the moment.

* Add permissions to workflow examples (#18393)

Co-authored-by: Sarah Edwards <skedwards88@github.com>
2021-04-20 15:49:38 +00:00

75 lines
4.1 KiB
Markdown
Raw Blame History

---
title: Running CodeQL code scanning in a container
shortTitle: '{% data variables.product.prodname_code_scanning_capc %} in a container'
intro: 'You can run {% data variables.product.prodname_code_scanning %} in a container by ensuring that all processes run in the same container.'
product: '{% data reusables.gated-features.code-scanning %}'
versions:
enterprise-server: '2.22'
topics:
- security
---
<!--See /content/code-security/secure-coding for the latest version of this article -->
{% data reusables.code-scanning.beta %}
### About {% data variables.product.prodname_code_scanning %} with a containerized build
If you're setting up {% data variables.product.prodname_code_scanning %} for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message "No source code was seen during the build." This indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code as it was compiled.
You must run {% data variables.product.prodname_codeql %} in the same container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_runner %}, or {% data variables.product.prodname_actions %}. If you're using the {% data variables.product.prodname_codeql_runner %}, run it in the container where your code builds. For more information about the {% data variables.product.prodname_codeql_runner %}, see "[Running {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system)." If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see "[Example workflow](#example-workflow)."
### Dependencies
You may have difficulty running {% data variables.product.prodname_code_scanning %} if the container you're using is missing certain dependencies (for example, Git must be installed and added to the PATH variable). If you encounter dependency issues, review the list of software typically included on {% data variables.product.prodname_dotcom %}'s virtual environments. For more information, see the version-specific `readme` files in these locations:
* Linux: https://github.com/actions/virtual-environments/tree/main/images/linux
* macOS: https://github.com/actions/virtual-environments/tree/main/images/macos
* Windows: https://github.com/actions/virtual-environments/tree/main/images/win
### Example workflow
This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontainer)."
``` yaml
name: "{% data variables.product.prodname_codeql %}"
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '45 15 * * 2'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
permissions:
security-events: write
actions: read{% endif %}
strategy:
fail-fast: false
matrix:
language: [java]
# Specify the container in which actions will run
container:
image: codeql-container:f0f91db
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Initialize {% data variables.product.prodname_codeql %}
uses: github/codeql-action/init@v1
with:
languages: {% raw %}${{ matrix.language }}{% endraw %}
- name: Build
run: |
./configure
make
- name: Perform {% data variables.product.prodname_codeql %} Analysis
uses: github/codeql-action/analyze@v1
```
Reference in New Issue View Git Blame Copy Permalink