github
paths / paths-ignore DOES seem to work for Go, yet annotation says is doesnt
I battled for a while to get the action to only run for Go and a specific directory in a multi-language mono-repo.
I seemed to successful with the following:
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
config: |
paths:
- ${{ inputs.path }}
By successful I mean that I can see in the SARIF reports that I am only getting locations related to the go part of the repository (before I was seeing everything from all languages in the reports).
So, the evidence suggests that this combination does what I needed - yet I get the annoying annotation below on every run:
Is it a faulty annotation?
Hi @erzz,
Thank you for the question! The annotation is not faulty (cf. our documentation here). The paths array only has an effect on interpreted languages. For compiled languages (such as Go), you can either rely on autobuild or provide explicit build steps. You can use the following documentation as a guide: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language
Thanks @ginsbach
Hmmm then perhaps the issue is more that without that input, the SARIF report is polluted with non-Go related locations
e.g.s
"invocations" : [ {
"toolExecutionNotifications" : [ {
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "tests/node-sample-app/index.html",
"uriBaseId" : "%SRCROOT%",
"index" : 0
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "go/diagnostics/successfully-extracted-files",
"index" : 1,
"toolComponent" : {
"index" : 0
}
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
},
...
{
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "src/components/OutputList/index.js",
"uriBaseId" : "%SRCROOT%",
"index" : 5
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "cli/expected-extracted-files/javascript",
"index" : 0
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
}, {
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "sidebars.js",
"uriBaseId" : "%SRCROOT%",
"index" : 6
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "cli/expected-extracted-files/javascript",
"index" : 0
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
},
...
Its nothing breaking or anything - just hard work when debugging or trying to interpret the SARIF with human eyes. With the config we get a much shorter and cleaner output only on the intended resources.
Hi - sure! Its actually a resusable with a bunch of security related jobs... but here is the relevant parts at least
jobs:
# <---------------------- CODEQL ----------------------->
codeql:
if: ${{ inputs.codeql-enable }}
name: CodeQL
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: "${{ inputs.path }}/${{ inputs.go-version-file }}"
check-latest: ${{ inputs.go-check-latest }}
cache: ${{ inputs.go-cache }}
cache-dependency-path: "${{ inputs.path }}/${{ inputs.go-cache-path }}"
architecture: ${{ inputs.go-architecture }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
- name: Run build
run: |
cd "$GITHUB_WORKSPACE/${{ inputs.path }}"
${{ inputs.build-command }}
- name: Perform CodeQL Analysis
id: codeql
uses: github/codeql-action/analyze@v3
- name: Upload Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: CodeQL Reports
path: ${{ steps.codeql.outputs.sarif-output }}
Ah sorry, @ginsbach is right; this is expected behaviour. The various "expected-extracted-file" reports serve to inform the UI that it could be useful to enable languages other than golang if they are not already being analysed.