About CodeQL code scanning for compiled languages

Understand how CodeQL analyzes compiled languages, the build options available, and learn how you can customize the database generation process if you need to.

Who can use this feature?

Users with write access if advanced setup is already enabled

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Team, GitHub Enterprise Cloud, or GitHub Enterprise Server, with GitHub Code Security enabled.

In this article

About the CodeQL analysis workflow and compiled languages

Code scanning works by running queries against one or more CodeQL databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages C/C++, C#, Go, Java, Kotlin, Rust, and Swift, the process of populating this database often involves building the code and extracting data.

When you enable code scanning, both default and advanced setup generate a CodeQL database for analysis using the simplest method available. For C/C++, C#, Java and Rust, the CodeQL database is generated directly from the codebase without requiring a build (none build mode). For other compiled languages, CodeQL builds the codebase using the autobuild build mode. Alternatively, you can use the manual build mode to specify explicit build commands to analyze only the files that are built by these custom commands.

You can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. See About dependency caching for CodeQL later in this article.

CodeQL build modes

The CodeQL action supports three different build modes for compiled languages:

  • none - the CodeQL database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for C/C++, C#, Java and Rust).
  • autobuild - CodeQL detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for C/C++, C#, Go, Java, Kotlin, and Swift).
  • manual - you define the build steps to use for the codebase in the workflow (supported for C/C++, C#, Go, Java, Kotlin, and Swift).

For language-specific autobuild behavior, runner requirements, and guidance for manual builds, see CodeQL build options and steps for compiled languages.

About dependency caching for CodeQL

You can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see Dependency caching reference.

Dependency caching works with all build modes, and is supported by Java, Go, and C#.

Note

Using dependency caching will store CodeQL-specific caches that will be subject to cache quotas for a repository. See Dependency caching reference.