Troubleshoot CodeQL results

  • 5 minutes

This unit provides common tips for optimizing and troubleshooting when working with CodeQL and code scanning.

Optimize CodeQL analysis runtimes

There are several reasons why your CodeQL analysis may be taking too long to complete:

  • If you use self-hosted runners for CodeQL analysis, you can increase the memory or the number of cores.
  • Problems can also occur when a repository contains multiple languages. You can modify your workflow to use a matrix that speeds up the analysis of multiple languages. The analysis of each language runs in parallel with the default CodeQL analysis workflow, advanced workflows may need to be configured similarly if they are set up to run language initialization and analysis sequentially.
  • The amount of code being analyzed may cause long runtimes. Analysis time is typically proportional to the amount of code being analyzed. You can reduce the size of the code by excluding test code or breaking the code into multiple workflows to only analyze a subset with each scan.
  • You may want to only trigger analysis on the schedule event if your analysis is too slow while running during push or pull_request events.

Optimizing CodeQL Queries

Some performance issues may arise from custom queries. You can find common problems and how to troubleshoot them here[11].

Some important points to keep in mind while working with CodeQL and the QL query language:

  • CodeQL predicates and classes are evaluated to database tables. Large predicates generate large tables with many rows, and are therefore expensive to compute
  • The QL language is implemented using standard database operations and relational algebra, such as join, projection, and union.
  • Queries are evaluated bottom-up, which means that a predicate is not evaluated until all of the predicates that it depends on are evaluated.

Debug artifacts

Additionally, you can obtain artifacts to help you debug CodeQL. The data contains the CodeQL logs, CodeQL databases, and any SARIF files produced by the workflow. The debug artifacts are uploaded to the workflow run as an artifact named debug-artifacts. Modify the init step of your CodeQL workflow file and set debug: true. These artifacts help you debug problems with CodeQL code scanning.

Troubleshoot CodeQL for Visual Studio Code

The Visual Studio extension log files have detailed information to help you troubleshoot.

Progress and error messages are displayed as notifications in the bottom right corner of the workspace. You can use the dropdown list to select the logs you need.

Screenshot showing how to select the logs in the Output view.

Common error messages

To troubleshoot your CodeQL workflow, let's familiarize ourselves with some common error messages.

Error: "Server error"

If the run of a workflow for code scanning fails due to a server error, this may be due to a transient communication issue. Try running the workflow again. If the problem persists contact GitHub support.

Error: "Out of disk" or "Out of memory"

CodeQL may run out of disk or memory on the runner for very large projects. Contact GitHub Support so that we can investigate this type of issue on a hosted GitHub Actions runner. If running on a self-hosted runner, adjustments may need to be made to the server's specs. See here[12] for the recommended hardware when running CodeQL.

Error: 403 "Resource not accessible by integration" when using Dependabot

Dependabot is considered untrusted when it triggers a workflow run. The workflow will run with read-only scopes. Uploading code scanning results for a branch usually requires the security_events: write scope. However, code scanning always allows the uploading of results when the pull_request event triggers the action run. We recommend for Dependabot branches that you use the pull_request event instead of the push event.

A simple approach is to run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches.

Here's an example:

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

SARIF Upload Rejected Because of Default Setup

This error is reported if a process attempts to upload a SARIF file containing results of CodeQL analysis to a repository where CodeQL default setup is enabled. This includes uploads using the REST API and the CodeQL CLI. SARIF uploads are blocked when CodeQL default setup is enabled to reduce the potential for users to be confused by seeing similar code scanning alerts generated by different systems.

You will only see this error for SARIF files that contain results created using CodeQL.

To fix this error you will need to disable CodeQL in the repository and re-upload the SARIF file.

Further Reading

Additional information and troubleshooting can be found here[13]