Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. If you want to use GitHub Actions to scan your code, the site administrator must also enable GitHub Actions and set up the infrastructure required. For more information, see "Configuring code scanning for your appliance."
Note: This article describes the features available with the version of the CodeQL action and associated CodeQL CLI bundle included in the initial release of this version of GitHub Enterprise Server. If your enterprise uses a more recent version of the CodeQL action, see the GitHub Enterprise Cloud version of this article for information on the latest features. For information on using the latest version, see "Configuring code scanning for your appliance."
About code scanning configuration
You can run code scanning on GitHub Enterprise Server, using GitHub Actions, or from your continuous integration (CI) system. For more information, see "Learn GitHub Actions" or "Using code scanning with your existing CI system."
This article is about running code scanning on GitHub Enterprise Server using actions.
Before you can customize code scanning for a repository, you must configure code scanning by adding a GitHub Actions workflow to the repository. For more information, see "Configuring code scanning."
Typically, you don't need to edit the generated workflow file for code scanning. However, if required, you can edit the workflow to customize some of the settings. For example, you can edit GitHub's CodeQL analysis workflow to specify the frequency of scans, the languages or directories to scan, and what CodeQL code scanning looks for in your code. You might also need to edit the CodeQL analysis workflow if you use a specific set of commands to compile your code.
CodeQL analysis is just one type of code scanning you can do in GitHub. GitHub Marketplace on GitHub.com contains other code scanning workflows you can use. The specific examples given in this article relate to the CodeQL analysis workflow file.
Editing a code scanning workflow
GitHub saves workflow files in the .github/workflows directory of your repository. You can find a workflow you have added by searching for its file name. For example, by default, the workflow file for CodeQL code scanning is called codeql-analysis.yml.
- In your repository, browse to the workflow file you want to edit.
- In the upper right corner of the file view, to open the workflow editor, click .
- After you have edited the file, click Start commit and complete the "Commit changes" form. You can choose to commit directly to the current branch, or create a new branch and start a pull request.
For more information about editing workflow files, see "Learn GitHub Actions."
Configuring frequency
You can configure the CodeQL analysis workflow to scan code on a schedule or when specific events occur in a repository.
Scanning code when someone pushes a change, and whenever a pull request is created, prevents developers from introducing new vulnerabilities and errors into the code. Scanning code on a schedule informs you about the latest vulnerabilities and errors that GitHub, security researchers, and the community discover, even when developers aren't actively maintaining the repository.
Scanning on push
By default, the CodeQL analysis workflow uses the on.push event to trigger a code scan on every push to the default branch of the repository and any protected branches. For code scanning to be triggered on a specified branch, the workflow must exist in that branch. For more information, see "Workflow syntax for GitHub Actions."
If you scan on push, then the results appear in the Security tab for your repository. For more information, see "Managing code scanning alerts for your repository."
Additionally, when an on:push scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on code scanning alerts in pull requests, see "Triaging code scanning alerts in pull requests."
Scanning pull requests
The default CodeQL analysis workflow uses the pull_request event to trigger a code scan on pull requests targeted against the default branch. The pull_request event is not triggered if the pull request was opened from a private fork.
For more information about the pull_request event, see "Events that trigger workflows."
If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see "Triaging code scanning alerts in pull requests."
Using the pull_request trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the on:push trigger and code scanning will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see "Scanning on push."
Avoiding unnecessary scans of pull requests
You might want to avoid a code scan being triggered on specific pull requests targeted against the default branch, irrespective of which files have been changed. You can configure this by specifying on:pull_request:paths-ignore or on:pull_request:paths in the code scanning workflow. For example, if the only changes in a pull request are to files with the file extensions .md or .txt you can use the following paths-ignore array.
on:
  push:
    branches: [main, protected]
  pull_request:
    branches: [main]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
on:
  push:
    branches: [main, protected]
  pull_request:
    branches: [main]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
Notes
- on:pull_request:paths-ignoreand- on:pull_request:pathsset conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions are run. When a pull request contains any files that are not matched by- on:pull_request:paths-ignoreor- on:pull_request:paths, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by- on:pull_request:paths-ignoreor- on:pull_request:paths, unless the files have been excluded. For information on how to exclude files from analysis, see "Specifying directories to scan."
- For CodeQL code scanning workflow files, don't use the paths-ignoreorpathskeywords with theon:pushevent as this is likely to cause missing analyses. For accurate results, CodeQL code scanning needs to be able to compare new changes with the analysis of the previous commit.
For more information about using on:pull_request:paths-ignore and on:pull_request:paths to determine when a workflow will run for a pull request, see "Workflow syntax for GitHub Actions."
Scanning on a schedule
If you use the default CodeQL analysis workflow, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the cron value in the workflow. For more information, see "Workflow syntax for GitHub Actions."
Note: GitHub only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch.
Example
The following example shows a CodeQL analysis workflow for a particular repository that has a default branch called main and one protected branch called protected.
on:
  push:
    branches: [main, protected]
  pull_request:
    branches: [main]
  schedule:
    - cron: '20 14 * * 1'
on:
  push:
    branches: [main, protected]
  pull_request:
    branches: [main]
  schedule:
    - cron: '20 14 * * 1'
This workflow scans:
- Every push to the default branch and the protected branch
- Every pull request to the default branch
- The default branch every Monday at 14:20 UTC
Specifying an operating system
If your code requires a specific operating system to compile, you can configure the operating system in your CodeQL analysis workflow. Edit the value of jobs.analyze.runs-on to specify the operating system for the machine that runs your code scanning actions. You specify the operating system by using an appropriate label as the second element in a two-element array, after self-hosted.
jobs:
  analyze:
    name: Analyze
    runs-on: [self-hosted, ubuntu-latest]
jobs:
  analyze:
    name: Analyze
    runs-on: [self-hosted, ubuntu-latest]
CodeQL code scanning supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: ubuntu-latest, windows-latest, and macos-latest. For more information, see "Choosing the runner for a job" and "Using labels with self-hosted runners."
You must ensure that Git is in the PATH variable on your self-hosted runners. For more information, see "About self-hosted runners" and "Adding self-hosted runners."
For recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis, see "Recommended hardware resources for running CodeQL."
Specifying the location for CodeQL databases
In general, you do not need to worry about where the CodeQL analysis workflow places CodeQL databases since later steps will automatically find databases created by previous steps. However, if you are writing a custom workflow step that requires the CodeQL database to be in a specific disk location, for example to upload the database as a workflow artifact, you can specify that location using the db-location parameter under the init action.
- uses: github/codeql-action/init@v2
  with:
    db-location: '${{ github.runner_temp }}/my_location'
- uses: github/codeql-action/init@v2
  with:
    db-location: '${{ github.runner_temp }}/my_location'
The CodeQL analysis workflow will expect the path provided in db-location to be writable, and either not exist, or be an empty directory. When using this parameter in a job running on a self-hosted runner or using a Docker container, it's the responsibility of the user to ensure that the chosen directory is cleared between runs, or that the databases are removed once they are no longer needed.  This is not necessary for jobs running on GitHub-hosted runners, which obtain a fresh instance and a clean filesystem each time they run. For more information, see "Using GitHub-hosted runners."
If this parameter is not used, the CodeQL analysis workflow will create databases in a temporary location of its own choice. Currently the default value is ${{ github.runner_temp }}/codeql_databases.
Changing the languages that are analyzed
CodeQL code scanning automatically detects code written in the supported languages.
- C/C++
- C#
- Go
- Java
- JavaScript/TypeScript
- Python
- Ruby
Notes:
- 
CodeQL analysis for Ruby is currently in beta. During the beta, analysis of Ruby will be less comprehensive than CodeQL analysis of other languages. 
- 
Use javascriptto analyze code written in JavaScript, TypeScript or both.
For more information, see the documentation on the CodeQL website: "Supported languages and frameworks."
CodeQL uses the following language identifiers:
| Language | Identifier | 
|---|---|
| C/C++ | cpp | 
| C# | csharp | 
| Go | go | 
| Java | java | 
| JavaScript/TypeScript | javascript | 
| Python | python | 
| Ruby | ruby | 
The default CodeQL analysis workflow file contains a matrix called language which lists the languages in your repository that are analyzed. CodeQL automatically populates this matrix when you add code scanning to a repository. Using the language matrix optimizes CodeQL to run each analysis in parallel. We recommend that all workflows adopt this configuration due to the performance benefits of parallelizing builds. For more information about matrices, see "Using a matrix for your jobs."
If your repository contains code in more than one of the supported languages, you can choose which languages you want to analyze. There are several reasons you might want to prevent a language being analyzed. For example, the project might have dependencies in a different language to the main body of your code, and you might prefer not to see alerts for those dependencies.
If your workflow uses the language matrix then CodeQL is hardcoded to analyze only the languages in the matrix. To change the languages you want to analyze, edit the value of the matrix variable. You can remove a language to prevent it being analyzed or you can add a language that was not present in the repository when code scanning was configured. For example, if the repository initially only contained JavaScript when code scanning was configured, and you later added Python code, you will need to add python to the matrix.
jobs:
  analyze:
    name: Analyze
    ...
    strategy:
      fail-fast: false
      matrix:
        language: ['javascript', 'python']
jobs:
  analyze:
    name: Analyze
    ...
    strategy:
      fail-fast: false
      matrix:
        language: ['javascript', 'python']
If your workflow does not contain a matrix called language, then CodeQL is configured to run analysis sequentially. If you don't specify languages in the workflow, CodeQL automatically detects, and attempts to analyze, any supported languages in the repository. If you want to choose which languages to analyze, without using a matrix, you can use the languages parameter under the init action.
- uses: github/codeql-action/init@v2
  with:
    languages: cpp, csharp, python
- uses: github/codeql-action/init@v2
  with:
    languages: cpp, csharp, python
Defining the alert severities that give a check failure for a pull request
By default, only alerts with the severity level of Error or security severity level of Critical or High will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities and of security severities that will cause a pull request check failure in your repository settings. For more information about severity levels, see "About code scanning alerts."
- 
On your GitHub Enterprise Server instance, navigate to the main page of the repository. 
- 
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.  
- 
In the "Security" section of the sidebar, click Code security and analysis. 
- 
Under "Code scanning", to the right of "Check Failure", use the drop-down menu to select the level of severity you would like to cause a pull request check failure. 
Configuring a category for the analysis
Use category to distinguish between multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. The category you specify in your workflow will be included in the SARIF results file.
This parameter is particularly useful if you work with monorepos and have multiple SARIF files for different components of the monorepo.
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        # Optional. Specify a category to distinguish between multiple analyses
        # for the same tool and ref. If you don't use `category` in your workflow,
        # GitHub will generate a default category name for you
        category: "my_category"
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        # Optional. Specify a category to distinguish between multiple analyses
        # for the same tool and ref. If you don't use `category` in your workflow,
        # GitHub will generate a default category name for you
        category: "my_category"
If you don't specify a category parameter in your workflow, GitHub Enterprise Server will generate a category name for you, based on the name of the workflow file triggering the action, the action name, and any matrix variables. For example:
- The .github/workflows/codeql-analysis.ymlworkflow and theanalyzeaction will produce the category.github/workflows/codeql.yml:analyze.
- The .github/workflows/codeql-analysis.ymlworkflow, theanalyzeaction, and the{language: javascript, os: linux}matrix variables will produce the category.github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux.
The category value will appear as the <run>.automationDetails.id property in SARIF v2.1.0. For more information, see "SARIF support for code scanning."
Your specified category will not overwrite the details of the runAutomationDetails object in the SARIF file, if included.
Running additional queries
When you use CodeQL to scan code, the CodeQL analysis engine generates a database from the code and runs queries on it. CodeQL analysis uses a default set of queries, but you can specify more queries to run, in addition to the default queries.
You can also specify the queries you want to exclude from analysis, or include in the analysis. This requires the use of a custom configuration file. For more information, see "Using a custom configuration file" and "Excluding specific queries from analysis " below.
You can run extra queries if they are part of a CodeQL pack (beta) published to the GitHub Container registry or a QL pack stored in a repository. For more information, see "About code scanning with CodeQL."
The options available to specify the additional queries you want to run are:
- packsto install one or more CodeQL query packs (beta) and run the default query suite or queries for those packs.
- queriesto specify a single .ql file, a directory containing multiple .ql files, a .qls query suite definition file, or any combination. For more information about query suite definitions, see "Creating CodeQL query suites."
You can use both packs and queries in the same workflow.
Using query packs
To add one or more CodeQL query packs (beta), add a with: packs: entry within the uses: github/codeql-action/init@v2 section of the workflow. Within packs you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the GITHUB_TOKEN environment variable to a secret that has access to the packages. For more information, see "Automatic token authentication" and "Using secrets in GitHub Actions."
Note: For workflows that generate CodeQL databases for multiple languages, you must instead specify the CodeQL query packs in a configuration file. For more information, see "Specifying CodeQL query packs" below.
In the example below, scope is the organization or personal account that published the package. When the workflow runs, the four CodeQL query packs are downloaded from GitHub Enterprise Server and the default queries or query suite for each pack run:
- The latest version of pack1is downloaded and all default queries are run.
- Version 1.2.3 of pack2is downloaded and all default queries are run.
- The latest version of pack3that is compatible with version 3.2.1 is downloaded and all queries are run.
- Version 4.5.6 of pack4is downloaded and only the queries found inpath/to/queriesare run.
- uses: github/codeql-action/init@v2
  with:
    # Comma-separated list of packs to download
    packs: scope/pack1,scope/[email protected],scope/pack3@~3.2.1,scope/[email protected]:path/to/queries
- uses: github/codeql-action/init@v2
  with:
    # Comma-separated list of packs to download
    packs: scope/pack1,scope/[email protected],scope/pack3@~3.2.1,scope/[email protected]:path/to/queries
Downloading CodeQL packs from GitHub Enterprise Server
If your workflow uses packs that are published on a GitHub Enterprise Server installation, you need to tell your workflow where to find them. You can do this by using the registries input of the github/codeql-action/init@v2 action. This input accepts a list of url, packages, and token properties as shown below.
- uses: github/codeql-action/init@v2
  with:
    registries: |
      # URL to the container registry, usually in this format
      - url: https://containers.GHEHOSTNAME1/v2/
        # List of package glob patterns to be found at this registry
        packages:
          - my-company/*
          - my-company2/*
        # Token, which should be stored as a secret
        token: ${{ secrets.GHEHOSTNAME1_TOKEN }}
      # URL to the default container registry
      - url: https://ghcr.io/v2/
        # Packages can also be a string
        packages: "*/*"
        token: ${{ secrets.GHCR_TOKEN }}
    
- uses: github/codeql-action/init@v2
  with:
    registries: |
      # URL to the container registry, usually in this format
      - url: https://containers.GHEHOSTNAME1/v2/
        # List of package glob patterns to be found at this registry
        packages:
          - my-company/*
          - my-company2/*
        # Token, which should be stored as a secret
        token: ${{ secrets.GHEHOSTNAME1_TOKEN }}
      # URL to the default container registry
      - url: https://ghcr.io/v2/
        # Packages can also be a string
        packages: "*/*"
        token: ${{ secrets.GHCR_TOKEN }}
    
The package patterns in the registries list are examined in order, so you should generally place the most specific package patterns first. The values for token must be a personal access token generated by the GitHub instance you are downloading from with the read:packages permission.
Notice the | after the registries property name. This is important since  GitHub Actions inputs can only accept strings. Using the | converts the subsequent text to a string, which is parsed later by the github/codeql-action/init@v2 action.
Using queries in QL packs
To add one or more queries, add a with: queries: entry within the uses: github/codeql-action/init@v2 section of the workflow. If the queries are in a private repository, use the external-repository-token parameter to specify a token that has access to checkout the private repository.
You can also specify query suites in the value of queries. Query suites are collections of queries, usually grouped by purpose or language.
- uses: github/codeql-action/init@v2
  with:
    # Comma-separated list of queries / packs / suites to run.
    # This may include paths or a built in suite, for example:
    # security-extended or security-and-quality.
    queries: security-extended
    # Optional. Provide a token to access queries stored in private repositories.
    external-repository-token: ${{ secrets.ACCESS_TOKEN }}
- uses: github/codeql-action/init@v2
  with:
    # Comma-separated list of queries / packs / suites to run.
    # This may include paths or a built in suite, for example:
    # security-extended or security-and-quality.
    queries: security-extended
    # Optional. Provide a token to access queries stored in private repositories.
    external-repository-token: ${{ secrets.ACCESS_TOKEN }}
The following query suites are built into CodeQL code scanning and are available for use.
| Query suite | Description | 
|---|---|
| security-extended | Queries from the default suite, plus lower severity and precision queries | 
| security-and-quality | Queries from security-extended, plus maintainability and reliability queries | 
Each of these query suites contains a different subset of the queries included in the built-in CodeQL query pack for that language. The query suites are automatically generated using the metadata for each query. For more information, see "Metadata for CodeQL queries."
You can identify which query suites a query is included in by browsing the CodeQL query help documentation. For each query, any suites that it is included in are displayed at the top of the page with the query metadata. For example: Arbitrary file write during zip extraction (”Zip Slip”) and Client-side request forgery.
When you specify a query suite, the CodeQL analysis engine will run the default set of queries and any extra queries defined in the additional query suite.
Working with custom configuration files
If you also use a configuration file for custom settings, any additional packs or queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional packs or queries, prefix the value of packs or queries in the workflow with the + symbol. For more information, see "Using a custom configuration file."
In the following example, the + symbol ensures that the specified additional packs and queries are used together with any specified in the referenced configuration file.
- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
    queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
    packs: +scope/pack1,scope/[email protected],scope/[email protected]:path/to/queries
- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
    queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
    packs: +scope/pack1,scope/[email protected],scope/[email protected]:path/to/queries
Using a custom configuration file
A custom configuration file is an alternative way to specify additional packs and queries to run. You can also use the file to disable the default queries, exclude or include specific queries, and to specify which directories to scan during analysis.
In the workflow file, use the config-file parameter of the init action to specify the path to the configuration file you want to use. This example loads the configuration file ./.github/codeql/codeql-config.yml.
- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
The configuration file can be located within the repository you are analyzing, or in an external repository. Using an external repository allows you to specify configuration options for multiple repositories in a single place. When you reference a configuration file located in an external repository, you can use the OWNER/REPOSITORY/FILENAME@BRANCH syntax. For example, octo-org/shared/codeql-config.yml@main.
If the configuration file is located in an external private repository, use the external-repository-token parameter of the init action to specify a token that has access to the private repository.
- uses: github/codeql-action/init@v2
  with:
    external-repository-token: ${{ secrets.ACCESS_TOKEN }}
- uses: github/codeql-action/init@v2
  with:
    external-repository-token: ${{ secrets.ACCESS_TOKEN }}
The settings in the configuration file are written in YAML format.
Specifying CodeQL query packs
You specify CodeQL query packs in an array. Note that the format is different from the format used by the workflow file.
packs: # Use the latest version of 'pack1' published by 'scope' - scope/pack1 # Use version 1.2.3 of 'pack2' - scope/[email protected] # Use the latest version of 'pack3' compatible with 3.2.1 - scope/pack3@~3.2.1 # Use pack4 and restrict it to queries found in the 'path/to/queries' directory - scope/pack4:path/to/queries # Use pack5 and restrict it to the query 'path/to/single/query.ql' - scope/pack5:path/to/single/query.ql # Use pack6 and restrict it to the query suite 'path/to/suite.qls' - scope/pack6:path/to/suite.qls
packs:
  # Use the latest version of 'pack1' published by 'scope'
  - scope/pack1
  # Use version 1.2.3 of 'pack2'
  - scope/[email protected]
  # Use the latest version of 'pack3' compatible with 3.2.1
  - scope/pack3@~3.2.1
  # Use pack4 and restrict it to queries found in the 'path/to/queries' directory
  - scope/pack4:path/to/queries
  # Use pack5 and restrict it to the query 'path/to/single/query.ql'
  - scope/pack5:path/to/single/query.ql
  # Use pack6 and restrict it to the query suite 'path/to/suite.qls'
  - scope/pack6:path/to/suite.qls
The full format for specifying a query pack is scope/name[@version][:path]. Both version and path are optional. version is semver version range. If it is missing, the latest version is used. For more information about semver ranges, see the semver docs on npm.
If you have a workflow that generates more than one CodeQL database, you can specify any CodeQL query packs to run in a custom configuration file using a nested map of packs.
packs:
  # Use these packs for JavaScript and TypeScript analysis
  javascript:
    - scope/js-pack1
    - scope/js-pack2
  # Use these packs for Java and Kotlin analysis
  java:
    - scope/java-pack1
    - scope/[email protected]
packs:
  # Use these packs for JavaScript and TypeScript analysis
  javascript:
    - scope/js-pack1
    - scope/js-pack2
  # Use these packs for Java and Kotlin analysis
  java:
    - scope/java-pack1
    - scope/[email protected]
Specifying additional queries
You specify additional queries in a queries array. Each element of the array contains a uses parameter with a value that identifies a single query file, a directory containing query files, or a query suite definition file.
queries: - uses: ./my-basic-queries/example-query.ql - uses: ./my-advanced-queries - uses: ./query-suites/my-security-queries.qls
queries:
  - uses: ./my-basic-queries/example-query.ql
  - uses: ./my-advanced-queries
  - uses: ./query-suites/my-security-queries.qls
Optionally, you can give each array element a name, as shown in the example configuration files below. For more information about additional queries, see "Running additional queries" above.
Disabling the default queries
If you only want to run custom queries, you can disable the default security queries by using disable-default-queries: true.
Excluding specific queries from analysis
You can add exclude and include filters to your custom configuration file, to specify the queries you want to exclude or include in the analysis.
This is useful if you want to exclude, for example:
- Specific queries from the default suites (security,security-extendedandsecurity-and-quality).
- Specific queries whose results do not interest you.
- All the queries that generate warnings and recommendations.
You can use exclude filters similar to those in the configuration file below to exclude queries that you want to remove from the default analysis. In the example of configuration file below, both the js/redundant-assignment and the js/useless-assignment-to-local queries are excluded from analysis.
query-filters:
  - exclude:
      id: js/redundant-assignment
  - exclude:
      id: js/useless-assignment-to-local
query-filters:
  - exclude:
      id: js/redundant-assignment
  - exclude:
      id: js/useless-assignment-to-local
To find the id of a query, you can click the alert in the list of alerts in the Security tab. This opens the alert details page. The Rule ID field contains the query id. For more information about the alert details page, see "About code scanning alerts."
Tips:
- The order of the filters is important. The first filter instruction that appears after the instructions about the queries and query packs determines whether the queries are included or excluded by default.
- Subsequent instructions are executed in order and the instructions that appear later in the file take precedence over the earlier instructions.
You can find another example illustrating the use of these filters in the "Example configuration files" section.
For more information about using exclude and include filters in your custom configuration file, see "Creating CodeQL query suites." For information on the query metadata you can filter on, see "Metadata for CodeQL queries."
Specifying directories to scan
For the interpreted languages that CodeQL supports (Python, Ruby, and JavaScript/TypeScript), you can restrict code scanning to files in specific directories by adding a paths array to the configuration file. You can exclude the files in specific directories from analysis by adding a paths-ignore array.
paths: - src paths-ignore: - src/node_modules - '**/*.test.js'
paths:
  - src
paths-ignore:
  - src/node_modules
  - '**/*.test.js'
Note:
- The pathsandpaths-ignorekeywords, used in the context of the code scanning configuration file, should not be confused with the same keywords when used foron.<push|pull_request>.pathsin a workflow. When they are used to modifyon.<push|pull_request>in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "Workflow syntax for GitHub Actions."
- The filter pattern characters ?,+,[,], and!are not supported and will be matched literally.
- **characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix- **and other characters. For example,- foo/**,- **/foo, and- foo/**/barare all allowed syntax, but- **fooisn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a- *character.
For compiled languages, if you want to limit code scanning to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "CodeQL code scanning for compiled languages."
You can quickly analyze small portions of a monorepo when you modify code in specific directories. You'll need to both exclude directories in your build steps and use the paths-ignore and paths keywords for on.<push|pull_request> in your workflow.
Example configuration files
This configuration file adds the security-and-quality query suite to the list of queries run by CodeQL when scanning your code. For more information about the query suites available for use, see "Running additional queries."
name: "My CodeQL config"
queries:
  - uses: security-and-quality
The following configuration file disables the default queries and specifies a set of custom queries to run instead. It also configures CodeQL to scan files in the src directory (relative to the root), except for the src/node_modules directory, and except for files whose name ends in .test.js. Files in src/node_modules and files with names ending .test.js are therefore excluded from analysis.
name: "My CodeQL config"
disable-default-queries: true
queries:
  - name: Use an in-repository QL pack (run queries in the my-queries directory)
    uses: ./my-queries
  - name: Use an external JavaScript QL pack (run queries from an external repo)
    uses: octo-org/javascript-qlpack@main
  - name: Use an external query (run a single query from an external QL pack)
    uses: octo-org/python-qlpack/show_ifs.ql@main
  - name: Use a query suite file (run queries from a query suite in this repo)
    uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls
paths:
  - src 
paths-ignore: 
  - src/node_modules
  - '**/*.test.js'
The following configuration file only runs queries that generate alerts of severity error. The configuration first selects all the default queries, all queries in ./my-queries, and the default suite in codeql/java-queries, then excludes all the queries that generate warnings or recommendations.
queries:
  - name: Use an in-repository QL pack (run queries in the my-queries directory)
    uses: ./my-queries
packs:
  - codeql/java-queries
query-filters:
- exclude:
    problem.severity:
      - warning
      - recommendation
Configuring code scanning for compiled languages
CodeQL analyzes the C/C++, C#, and Java source files in your repository that are built.
The basic CodeQL analysis workflow uses the autobuild action to build your code. Alternatively, you can disable autobuild and instead specify explicit build commands to analyze only the files that are built by these custom commands.
If autobuild fails, or you want to analyze a different set of source files from those built by the autobuild process, you'll need to remove the autobuild step from the workflow, and manually add build steps. For C/C++, C#, Go,  and Java projects, CodeQL will analyze whatever source code is built by your specified build steps. For more information about how to configure CodeQL code scanning for compiled languages, see "CodeQL code scanning for compiled languages."
Uploading code scanning data to GitHub
GitHub can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the upload-sarif action. For more information, see "Uploading a SARIF file to GitHub."