github
CodeQL action times out after six hours
We're trying to configure CodeQL for our TypeScript monorepo. For TypeScript, it times out after six hours.
We have just over a million lines of TypeScript in a private repo. This is running on a 30-core runner with 120 GB memory, so resources should not be an issue: and iterating on this also gets quite expensive!
We have this in .github/codeql/codeql-configuration.yml:
query-filters:
- exclude:
id: js/regex-injection
And this in .github/workflows/codeql.yml:
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
on:
push:
branches: ["master"]
pull_request:
branches: ["master"]
schedule:
- cron: "31 11 * * 4"
jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubicloud-standard-30' }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: java-kotlin
build-mode: autobuild
- language: javascript-typescript
build-mode: none
- language: swift
build-mode: autobuild
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
debug: true
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
Despite having debug mode enabled, the last lines logged are all like this:
[2025-05-09 06:02:41] [build-stdout] Done extracting /home/runner/work/.../file.ts(3 ms)
[2025-05-09 06:02:41] [build-stdout] Extracting /home/runner/work/.../file.ts
[2025-05-09 06:02:41] [build-stdout] Done extracting /home/runner/work/.../file.ts (4 ms)
[2025-05-09 06:02:41] [build-stdout] Extracting /home/runner/work/.../file.ts
Then nothing until the job times out. One curious thing is that the last line is not 'done extracting', but rather just 'extracting'.
How can we debug this?
Related: https://github.com/github/codeql-action/issues/2756 / https://github.com/github/codeql-action/issues/2378
Hi @smcgivern,
My first impression is that this is unrelated to the issues you link, as this is Javascript (not Kotlin/Java) and as it's hanging during extraction (not analysis). My first guess is that there's something in one of your typescript files that results in an infinite loop somewhere in our code. Is the file mentioned in the last log line you see always the same file? If so, have you tried ignoring the file with the paths-ignore option (see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)?
@jketema thank you! This did work - I had to exclude five files in the end to get analysis to run, and then it ran perfectly fine (~10 mins).
Is there a way I can share those files privately to see what could be causing the failure to extract?
EDIT: we're on a paid plan so I could add them to a support ticket, for instance.
We're also having issues with CodeQL timing out. Support ticket 3508902. Issue started on May 17.
Even if I do just a single check in isolation it sits basically forever (I cancel after 30 mins).
disable-default-queries: true
queries:
- uses: github/codeql/javascript/ql/src/Security/CWE-022/ZipSlip.ql@main
However, the entire suite enabled and pinned to v2.21.2 runs in under 2 minutes.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
config-file: ${{ matrix.config-file }}
tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.21.2/codeql-bundle-linux64.tar.gz
Seems like something snuck in to version v2.21.3 which was updated in https://github.com/github/codeql-action/releases/tag/v3.28.18, released May 16.
EDIT: If I exclude these checks it does work on latest version.
query-filters:
- exclude:
id: js/useless-regexp-character-escape
- exclude:
id: js/incomplete-hostname-regexp
- exclude:
id: js/incomplete-url-substring-sanitization
- exclude:
id: js/overly-large-range
- exclude:
id: js/zipslip
- exclude:
id: js/path-injection
- exclude:
id: js/unnecessary-use-of-cat
- exclude:
id: js/command-line-injection
- exclude:
id: js/second-order-command-line-injection
- exclude:
id: js/xss-through-dom
- exclude:
id: js/xss-through-exception
- exclude:
id: js/reflected-xss
- exclude:
id: js/html-constructed-from-input
- exclude:
id: js/xss
- exclude:
id: js/sql-injection
- exclude:
id: js/code-injection
- exclude:
id: js/unsafe-dynamic-method-access
- exclude:
id: js/client-exposed-cookie
- exclude:
id: js/bad-tag-filter
- exclude:
id: js/incomplete-multi-character-sanitization
- exclude:
id: js/incomplete-sanitization
- exclude:
id: js/tainted-format-string
- exclude:
id: js/stack-trace-exposure
- exclude:
id: js/disabling-certificate-validation
- exclude:
id: js/clear-text-storage-of-sensitive-data
- exclude:
id: js/clear-text-logging
- exclude:
id: js/insufficient-key-size
- exclude:
id: js/weak-cryptographic-algorithm
- exclude:
id: js/insecure-randomness
- exclude:
id: js/cors-misconfiguration-for-credentials
- exclude:
id: js/resource-exhaustion-from-deep-object-traversal
- exclude:
id: js/unsafe-deserialization
- exclude:
id: js/sensitive-get-query
- exclude:
id: js/server-side-unvalidated-url-redirection
- exclude:
id: js/client-side-unvalidated-url-redirection
- exclude:
id: js/xxe
- exclude:
id: js/clear-text-cookie
- exclude:
id: js/regex-injection
- exclude:
id: js/unvalidated-dynamic-method-call
- exclude:
id: js/resource-exhaustion
- exclude:
id: js/missing-rate-limiting
- exclude:
id: js/xml-bomb
- exclude:
id: js/insecure-download
- exclude:
id: js/loop-bound-injection
- exclude:
id: js/type-confusion-through-parameter-tampering
- exclude:
id: js/prototype-polluting-assignment
- exclude:
id: js/insufficient-password-hash
- exclude:
id: js/request-forgery
- exclude:
id: js/stored-xss
- exclude:
id: js/shell-command-injection-from-environment
- exclude:
id: js/polynomial-redos
- exclude:
id: js/redos
- exclude:
id: js/shell-command-constructed-from-input
This sounds like a different case. In our case support told us to skip types with this env var:
CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES: true
And that the team is:
actively working on replacing type extraction which is expected to solve the issue
But also that there is no public issue for that to follow 🤷
This sounds like a different case. In our case support told us to skip types with this env var:
CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES: trueAnd that the team is:
actively working on replacing type extraction which is expected to solve the issue
But also that there is no public issue for that to follow 🤷
Thanks for closing this. There is a PR up that covers a large part of that work: https://github.com/github/codeql/pull/19640