Understand CodeQL results

  • 5 minutes

In the previous unit, you created a database and scanned the extracted file from your code. Now you can view the results and determine if there are security vulnerabilities to address.

View code scanning results from CodeQL analysis

Interpreted query results are automatically displayed in the source code in CodeQL for Visual Studio Code. Results generated by the CodeQL CLI can be output into many different formats for use with different tools.

You can control how analysis results are displayed in source code by modifying a query’s select statement. You can make the results clear and easy for other users to understand while developing the query. When you write your own queries in the query console or in the CodeQL extension for Visual Studio Code, there are no constraints about what can be selected.

If you want to use a query to create alerts in GitHub code scanning or generate valid analysis results using the CodeQL CLI, you need to make the select statement report results in the required format.

Explanation of code scanning alerts

You can set up code scanning to check the code in a repository. You can use the default CodeQL analysis, a non-Microsoft analysis, or other types of analysis. The resulting alerts are displayed alongside each other in the repository. GitHub's default CodeQL analysis might include more properties for alerts than results from non-Microsoft tools or from custom queries. In a default workflow, code scanning analyzes your code periodically on the default branch and during pull requests.

Each alert includes the following information:

  • The problem with the code and the name of the tool that identified it
  • The line of code that triggered the alert
  • Properties of the alert (such as the severity)
  • The security severity
  • When the issue was first introduced
  • The nature of the problem.

You'll also see information on how to fix the problem when CodeQL analysis identifies an alert. Additionally, code scanning using CodeQL can detect data-flow problems in your code.

Screenshot showing CodeQL analysis alerts.

Data flow alerts

Data-flow analysis finds potential security issues in code. This includes: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information. GitHub shows you how data moves through the code when code scanning reports data-flow alerts. These data-flow alerts allow you to identify the areas of your code that leak sensitive information. This can help identify the entry point for attacks by malicious users.

Severity levels

Any code scanning results with a severity of Error causes check failure by default. Alert severity levels might be Error, Warning, and Note. You can specify the severity level at which pull requests that trigger code scanning alerts should fail.

Security severity levels

Security queries generated by code scanning displays security severity levels for alerts. Security severity levels can be Critical, High, Medium, or Low. GitHub uses the Common Vulnerability Scoring System (CVSS) data to calculate the security severity of an alert. Any code scanning results with a security severity of Critical or High causes a check failure by default. You can also choose to specify which security severity level should cause a check failure for code scanning results.

Close a code scanning alert

You have two ways to close an alert:

  • Fix the problem in the code.
  • Dismiss the alert.

Dismiss a code scanning alert

Dismissing an alert is a way of closing an alert that you don't think needs to be fixed. One example is an error in code that's used only for testing. You might also dismiss an alert if the effort required to fix the error is greater than the potential benefit of improving the code.

You can dismiss alerts from code scanning annotations in the code or from the summary list within the Security tab.

Here's what happens when you dismiss an alert:

  • It's dismissed in all branches.
  • The alert is removed from the number of current alerts for your project.
  • The alert is moved to the Closed list in the summary of alerts. You can reopen it from here, if necessary.
  • The reason why you closed the alert is recorded.
  • Next time code scanning runs, the same code won't generate an alert.

Delete a code scanning alert

You can also delete the alert if you have admin permissions for the repository. Deleting alerts is useful when you set up a code scanning tool, but later decide to remove it. Also, when you configured CodeQL analysis with a larger set of queries than you want to continue using and when you've removed some queries from the tool. Deleting alerts allows you to clean up your code scanning results.

You can delete alerts from the summary list within the Security tab.

Here's what happens when you delete an alert:

  • It's deleted in all branches.
  • The alert is removed from the number of current alerts for your project.
  • It isn't added to the Closed list in the summary of alerts.
  • If the code that generated the alert stays the same, and the same code scanning tool runs again without any configuration changes, the alert is shown again in your analysis results.

Video of dismissing an alert with dismissal dropdown menu.