Troubleshoot code scanning
Generally, if you are encountering errors with CodeQL execution, the CodeQL CLI reports the status of each command it runs as an exit code. The exit code provides information for subsequent commands or for other tools that rely on the CodeQL CLI. For more information on exit code details, see Exit codes.
Error: 'database finalize' CodeQL command (32)
This error indicates a problem with finalizing the CodeQL database creation, potentially due to extraction errors or missing build steps.
Troubleshooting steps:
- Verify code exists and is compiled
- For compiled languages, verify that the build process is compiling code and is happening between the
AdvancedSecurity-Codeql-Init
and theAdvancedSecurity-Codeql-Analyze
tasks. Common build commands and required flags (such as clean no-cache/no-daemon) can be found here at Specifying build commands. - For interpreted languages, confirm that there is some source code for the specified language in the project.
- For compiled languages, verify that the build process is compiling code and is happening between the
- Check extraction errors
- Verify if extraction errors affect the CodeQL database's health.
- Review the log file for extraction errors and warnings to assess overall database health.
- Investigate overwhelming errors
- If most files encounter extractor errors, investigate further to understand the root cause of improper extraction.
Error: autobuild script (1)
This error describes an automatic build failure, suggesting an issue with code scanning setup or configuration.
Troubleshooting steps:
- Configure build steps
- Remove the AutoBuild step and instead configure specific build steps for compiled languages in your pipelines.
- Refer to setup guidelines provided in Configure GitHub Advanced Security for Azure DevOps.
Error: CodeQL directories not found in agent tool cache
This error indicates an issue with installing CodeQL for self-hosted agents.
Troubleshooting steps:
- Refer to setup guidelines or configuration scripts provided in Configure GitHub Advanced Security for Azure DevOps.
Error: language pipeline variable not set
This error occurs when attempting to run CodeQL without setting the pipeline variable specifying which languages to scan.
Troubleshooting steps:
- Set language pipeline variable
- Ensure the language pipeline variable is correctly configured. Refer to setup guidelines provided in Configure GitHub Advanced Security for Azure DevOps.
- Supported languages include
csharp
,cpp
,go
,java
,javascript
,python
,ruby
, andswift
.
CodeQL returning no results
This section provides guidance for situations where CodeQL analysis yields no results.
Troubleshooting steps:
- Check for detected vulnerabilities
- Consider the possibility that your code may genuinely have no vulnerabilities. If vulnerabilities are expected but not detected, proceed to verify further.
- Review query suite configuration
- Confirm the query suite being used and consider switching to a more comprehensive suite if necessary.
- Alternatively, custom query suites can be created for tailored analysis.
- Adjust permissions for viewing results
- Ensure proper permissions, at least at the contributor level, are granted to access analysis results. For more information, see Advanced Security permissions.
CodeQL timing out
If the AdvancedSecurity-Codeql-Analyze@1
task is displaying This job was abandoned ... we lost contact with the agent
and you are using a hosted Microsoft agent, the task is hitting the built-in six-hour timeout for paid hosted agents. You may attempt to run analysis on a self-hosted agent instead.
Code scanning task permissions
The code scanning build task uses the pipeline identity to call the Advanced Security REST APIs. By default, pipelines in the same project have access to upload the SARIF file generated by running CodeQL analysis. If these permissions are removed from the build service account or if you have a custom setup (for example, a pipeline hosted in a different project than the repository), you must grant these permissions manually.
Troubleshooting steps:
- Grant
Advanced Security: View alerts
andAdvanced Security: Manage and dismiss alerts
permission to the build service account used in your pipeline, which for project-scoped pipelines is[Project Name] Build Service ([Organization Name])
, and for collection-scoped pipelines isProject Collection Build Service ([Organization Name])
.
Manual installation of CodeQL bundle to self-hosted agent
Install the CodeQL bundle to the agent tool cache by utilizing the setup script for your architecture, available on GitHub. These scripts require the
$AGENT_TOOLSDIRECTORY
environment variable to be set to the location of the agent tools directory on the agent, e.g. C:/agent/_work/_tool
. Alternatively, you may manually implement the following steps:
- Pick the latest CodeQL release bundle from GitHub.
- Download and unzip the bundle to the following directory inside the agent tool directory, typically located under
_work/_tool
:./CodeQL/0.0.0-[codeql-release-bundle-tag]/x64/
. Using the current release ofv2.16.0
, the folder name would be titled./CodeQL/0.0.0-codeql-bundle-v2.16.0/x64/
. Learn more about the agent tool directory. - Create an empty file titled
x64.complete
within the./CodeQL/0.0.0-[codeql-release-bundle-tag]
folder. Using the previous example, the end file path to yourx64.complete
file should be./CodeQL/0.0.0-codeql-bundle-v2.16.0/x64.complete
.