[Public Beta] CodeQL can scan Java and C# projects without a build #113548
Replies: 4 comments 8 replies
-
Can you clarify how this works internally? Is there a new extractor that directly parses Java and Kotlin code (similar to Javascript, Typescript, and Python) or does it still try to run an autobuild and then try to analyze the instrumented results of the failed build? I tried this out on a Java repository (no Kotlin code) that had never had CodeQL enabled and noticed it still ran the autobuild action. |
Beta Was this translation helpful? Give feedback.
-
As of my last update in January 2022, CodeQL, a semantic code analysis engine developed by GitHub, allows for scanning Java projects without requiring a build. This capability enables developers to perform static analysis on Java codebases without having to compile the code first. By directly analyzing the source code, CodeQL can detect security vulnerabilities, bugs, and other issues in Java projects. |
Beta Was this translation helpful? Give feedback.
-
Any estimate on when this might leave public beta, and be available also for GitHub Enterprise Server? |
Beta Was this translation helpful? Give feedback.
-
This statement and blog post was made on June 20, 2024. When will |
Beta Was this translation helpful? Give feedback.
-
A key requirement for scanning Java with CodeQL was to have a working build. We are now able to scan Java projects without the need for a working build. We really ❤️ feedback and while this feature is in a public beta we welcome feedback about this new approach for scanning Java.
June 20, 2024: CodeQL can now scan C# without a working build.
If you prefer sharing feedback directly, feel free to reach out at [email protected] .
Who is this available for?
build-mode: none
option to trigger this behaviour.2.16.5
. Use the--build-mode none
option to trigger this behaviour.2.17.6
. Use the--build-mode none
option to trigger this behaviour.Beta Was this translation helpful? Give feedback.
All reactions