-
Notifications
You must be signed in to change notification settings - Fork 1.9k
CodeQL scan is successful but alerts are not coming up in Github UI #16905
-
Hi Team,
I have being trying to perform codeQL scan on one of my repository where i added few vulnerabilities scan is running successfully, but when i check in github there are no alerts. I have being using github actions to perform the scan but when i perform the scan using codeql cli i am able to see the alerts in github. Can any please help what i am missing .
Here is my actions code:
name: "CodeQL"
on:
push:
branches: [ "dev" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "dev" ]
schedule:
- cron: '* * * * 1' # Runs every Monday at 00:00 UTC
jobs:
analyze:
name: Analyze
runs-on: code-scanning
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'java','kotlin' ] # Add or remove languages as needed
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
- name: Set NODE_TLS_REJECT_UNAUTHORIZED
run: |
echo "NODE_TLS_REJECT_UNAUTHORIZED=0" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
output: ./results
- name: Upload CodeQL Database
if: always()
uses: actions/upload-artifact@v3
with:
name: codeql-database
path: ${{ runner.temp }}/codeql_databases
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results/java.sarif
category: codeQL-scan
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 8 replies
-
I guess the reason you're using the output: flag and the upload-sarif action because you're trying to archive the database?
How about removing the upload-artifact and upload-sarif actions, removing the output: parameter to the analyze step, and adding debug: true like this in order to cause the analyze step to upload the database?
With or without debugging, does using the action with the analyze step performing the sarif upload, rather than your own upload-sarif step, perform as expected?
Beta Was this translation helpful? Give feedback.
All reactions
-
My runner is selfhosted runner should i do some configurations on the machine to upload results
Beta Was this translation helpful? Give feedback.
All reactions
-
I could see this in the logs
Screenshot 2024年07月04日 at 8 18 04 PM
Beta Was this translation helpful? Give feedback.
All reactions
-
While the repo is private, are you able to share the log of the run, or the database artifact? If you're not happy for them to be visible on this public discussion, are you happy to send them to smowton@github.com?
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks for you help, I am able to resolve the issue by enabling default setup of codeql and i am seeing the alerts in the UI but there is a new thing i am seeing whenever I raise a PR the scan will run and should show if there any issues. But it always tells
**1 configuration not found
Warning: Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/dev was not found:
Default setup
❓ dynamic/github-code-scanning/codeql:upload**
Can you tell if i am missing something over here?
Beta Was this translation helpful? Give feedback.
All reactions
-
That means there is a variety of CodeQL analysis -- in this instance the manual upload from the CLI -- that has been submitted for main but not for your PR. That is expected; once main advances and if no manual upload is performed for the new main, this should disappear.
Beta Was this translation helpful? Give feedback.