Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Troubleshooting SARIF uploads/
    • Results exceed limits

    SARIF results exceed one or more limits

    Learn how to resolve problems when a SARIF file is rejected by code scanning because one or more limits is exceeded.

    In this article

    • About code scanning limits on SARIF results
    • Fixing soft limit errors
    • Fixing "Analysis SARIF file rejected due to results limits"
    • Fixing "Alert(s) in SARIF file exceeded thread flow location limits"
    • Fixing "Analysis SARIF file rejected due to run limits"
    • Fixing "Analysis SARIF file rejected due to rule limits"
    • Fixing "Analysis SARIF file rejected due to extension limits"
    • Fixing "Analysis SARIF file rejected due to location limit"
    • Fixing "Analysis SARIF file rejected due to rule tag limits"
    • Fixing "Repository is at risk of exceeding the alert limit" & "All analysis uploads blocked due to alert limit"

    About code scanning limits on SARIF results

    # SARIF results exceed soft limits
  Locations for an alert exceeded limits
  Analysis SARIF file exceeded alert limits
  Rule tags in SARIF file exceed limits
  Alert in SARIF upload exceeded thread flow location limits
  Repository is at risk of exceeding the alert limit.

# SARIF results exceed hard limit
  Alert(s) in SARIF file exceeded thread flow location limits
  Analysis SARIF file rejected due to extension limits
  Analysis SARIF file rejected due to location limit
  Analysis SARIF file rejected due to rule tag limits
  Analysis SARIF file rejected due to result limits
  Analysis SARIF file rejected due to rule limits
  Analysis SARIF file rejected due to run limits
  All analysis uploads blocked due to alert limit

    Code scanning sets two types of limits on fields in SARIF results files.

    • Soft limits which determine how much data is stored and displayed to users.
    • Hard limits which determine the maximum amount of data accepted for processing.

    You could see these errors for SARIF files generated by CodeQL or by third-party analysis tools.

    SARIF dataMaximum valuesData truncation limits
    Runs per file20None
    Results per run25,000Only the top 5,000 results will be included, prioritized by severity.
    Rules per run25,000None
    Tool extensions per run100None
    Thread Flow Locations per result10,000Only the top 1,000 Thread Flow Locations will be included, using prioritization.
    Location per result1,000Only 100 locations will be included.
    Tags per rule20Only 10 tags will be included.
    Alert Limit1,000,000None

    For information about validating your SARIF file, see SARIF support for code scanning.

    Fixing soft limit errors

    When soft limits are exceeded, code scanning shows the highest priority information. Often you do not need to make any changes to your code scanning configuration. As your team fixes alerts, the number of results reported in each run will reduce until they are within the soft limits and all results are displayed. Alternatively, you can use the approaches described for hard limit errors.

    Fixing "Analysis SARIF file rejected due to results limits"

    There are many considerations and potential solutions for reducing the number of results included in a SARIF results file. For guidance, see SARIF results file is too large.

    Fixing "Alert(s) in SARIF file exceeded thread flow location limits"

    You can configure the analysis to limit the number of dataflow paths included in the results. By default, 4 dataflow paths are included for each result.

    • CodeQL advanced setup for code scanning: update the analyze step to limit the number of paths to a maximum of one or zero.

      - name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v3
  env: 
    CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths", 1]}}'

    • CodeQL CLI database analyze: update the database analysis command to include the --max-paths=1 flag. For more information, see database analyze.

    Note

    The max-paths setting affects the results of all dataflow queries.

    Fixing "Analysis SARIF file rejected due to run limits"

    The simplest approach is generate a new SARIF file for each run and upload each file separately. You add a "category" to each results and this enables code scanning to store and display the results appropriately. For more information, see SARIF support for code scanning.

    Fixing "Analysis SARIF file rejected due to rule limits"

    There are two possible approaches here.

    1. Reduce the number of rules you use to analyze the code. For more information, see Excluding a query from analysis in "SARIF results file too large."
    2. Run the analysis twice, each time with a different set of rules, and upload both results files to code scanning. For more information, see SARIF support for code scanning.

    Fixing "Analysis SARIF file rejected due to extension limits"

    The simplest approach is to create a separate SARIF file each time you run the tool and upload each file separately. You may also need to contact the maintainer of the tool. For more information, see SARIF support for code scanning.

    CodeQL analysis should not generate this error. If you see this error while using the CodeQL action or CodeQL CLI, you should contact GitHub Support to let us know. For more information, see Contacting GitHub Support.

    Fixing "Analysis SARIF file rejected due to location limit"

    The best way to resolve this problem is usually to identify the query that reports too many locations and exclude it from analysis. For information on how to do this, see SARIF results file is too large.

    Fixing "Analysis SARIF file rejected due to rule tag limits"

    You need to update the SARIF file or the generator so that the array of tags reported for each reportingDescriptor object is fewer than 10. For more information, see properties.tags[] in SARIF support for code scanning.

    Fixing "Repository is at risk of exceeding the alert limit" & "All analysis uploads blocked due to alert limit"

    This limit is triggered by a repository producing more unique alerts than should ever exist as part of a well functioning code scanning configuration. It is possible that this is due to the output of a third-party tool being used, and may not be a user configuration error. Both user configuration error and tool vendor error are possible causes.

    There are a few steps to fix this problem.

    1. Look at the SARIF files you are producing to identify the cause of code scanning alerts being classed as distinct across runs of a tool. Usually this is due to one of the following:
      • The SARIF artifactLocation.uri property (filepath in the code scanning alert user interface) is not deterministic due to the inclusion of temporary directories or generated file names.
      • The tool used produces unstable SARIF rule names or artifactLocation object uri property values, which is usually the result of using hashes (from git commits or docker image SHAs, for example) or other sources of data that change across runs or environments.
    2. Once you have identified the source of the issue, you should update your configuration accordingly, and contact the tool vendor if their tool is the source of the unstable SARIF results.
    3. Stop uploading code scanning results for any third-party tools that produce non-deterministic output until they have been fixed by the tool vendor.

    Additional steps for "All analysis uploads blocked due to alert limit"

    On top of fixing the code scanning configuration and removing or fixing the output of third-party tools, you will need to contact us through the GitHub Support portal to assist you in deleting the alerts for any offending configurations.

    There is no self-service method for deleting alerts at this time, so contacting customer support is necessary before code-scanning can be re-enabled.

    Help and support

    Did you find what you needed?

    Privacy
  • Status
  • Blog

    • Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant