This unit provides tips for optimizing and troubleshooting issues when working with CodeQL and code scanning.

Optimizing CodeQL Analysis Times

Several reasons may explain why your CodeQL analysis takes too long:

• If you use self-hosted runners, you can increase memory or the number of cores.
• Issues may occur if the repository contains multiple languages. You can modify your workflow to use a matrix that speeds up multilingual analysis. Each language analysis runs in parallel with the default CodeQL workflow. Advanced workflows should be configured similarly if they run language initialization and analysis sequentially.
• The amount of code analyzed can lengthen execution times. Analysis time is generally proportional to code size. You can reduce this size by excluding test code or splitting the code into multiple workflows to analyze a subset during each scan.
• If analysis is too slow during push or pull_request events, you can trigger it only during the schedule event.

Optimizing CodeQL Queries

Some performance issues may come from custom queries. You can find common problems and how to resolve them in the CodeQL documentation on query performance troubleshooting.

Key points to remember:

• CodeQL predicates and classes are evaluated as database tables. Large predicates generate large tables, which are expensive to compute.
• The QL language is based on standard database operations and relational algebra: join, projection, union, etc.
• Queries are evaluated bottom-up: a predicate is only evaluated when all predicates it depends on have been evaluated.

Debugging Artifacts

You can obtain artifacts to help debug issues related to CodeQL analysis.
Modify the init step of your CodeQL workflow file and set:

debug: true

debug: true

Common Error Messages
To troubleshoot issues with your CodeQL workflow, it’s helpful to know the most frequent error messages.

Error: “Server error”

If a workflow run fails due to a server error, it may be a temporary communication issue.
Try rerunning the workflow. If the problem persists, contact GitHub Support.

Error: “Out of disk” or “Out of memory”

CodeQL may run out of disk space or memory on the runner if the project is too large.

• If you use a GitHub Actions hosted runner, contact GitHub Support.
• If you use a self-hosted runner, you may need to increase the server’s hardware resources.
  Refer to the CodeQL documentation for recommended hardware specifications.

Error: 403 “Resource not accessible by integration” when using Dependabot

Dependabot is considered untrusted when it triggers a workflow. The workflow runs with read-only permissions.
Uploading code scanning results for a branch typically requires the security_events: write permission.

However, code scanning always allows uploading results when the pull_request event triggers the action.
For Dependabot branches, it is therefore recommended to use the pull_request event instead of push.

Here is an example configuration:

(The example configuration would normally follow this paragraph in the documentation.)

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

Error: “SARIF upload rejected due to default setup”
Uploading SARIF files is blocked when the default CodeQL configuration is enabled.

This error occurs when a process attempts to upload a SARIF file containing CodeQL analysis results to a repository where the default configuration is active.
It can also occur if the upload is performed via the REST API or the CodeQL CLI.

This block is in place to prevent confusion when multiple systems generate similar code scanning alerts.

This error only applies to SARIF files containing results generated with CodeQL.

How to Fix This Error:

Disable CodeQL in the repository, then try uploading the SARIF file again.

Learn More:

Refer to the CodeQL documentation on troubleshooting code scanning for more details.