Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Create advanced setup/
    • Code scanning in a container

    Running CodeQL code scanning in a container

    You can run code scanning in a container by ensuring that all processes run in the same container.

    Who can use this feature?

    Code scanning is available for the following repository types:

    • Public repositories on GitHub.com

    In this article

    • About code scanning with a containerized build
    • Dependencies for CodeQL code scanning
    • Example workflow

    About code scanning with a containerized build

    If you're configuring code scanning for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message "No source code was seen during the build." This indicates that CodeQL was unable to monitor your code as it was compiled.

    You must run CodeQL inside the container in which you build your code. This applies whether you are using the CodeQL CLI or GitHub Actions. For the CodeQL CLI, see Using code scanning with your existing CI system for more information. If you're using GitHub Actions, configure your workflow to run all the actions in the same container. For more information, see Example workflow.

    Note

    The CodeQL CLI is currently not compatible with non-glibc Linux distributions such as (musl-based) Alpine Linux.

    Dependencies for CodeQL code scanning

    You may have difficulty running code scanning if the container you're using is missing certain dependencies (for example, Git must be installed and added to the PATH variable). If you encounter dependency issues, review the list of software typically included on GitHub's runner images. For more information, see the version-specific readme files in these locations:

    • Linux:
    • Windows: Example workflow

      This sample workflow uses GitHub Actions to run CodeQL analysis in a containerized environment. The value of container.image identifies the container to use. In this example the image is named codeql-container, with a tag of f0f91db. For more information, see Workflow syntax for GitHub Actions.

      name: "CodeQL"

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '15 5 * * 3'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read

    strategy:
      fail-fast: false
      matrix:
        language: [java-kotlin]

    # Specify the container in which actions will run
    container:
      image: codeql-container:f0f91db

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - name: Build
        run: |
          ./configure
          make
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

    Help and support

    Did you find what you needed?

    Privacy
  • Status
  • Blog

    • Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant