Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

.NET Framework 4.x Example

How do I build a .NET Framework Application on GitHub Actions?

.NET Framework is the precursor to .NET Core and .NET 5. It is a Windows-only framework that is not cross-platform. You can build and scan .NET Framework applications using GitHub Actions by leveraging a Windows runner.

Below is an example of a GitHub Actions workflow that builds a .NET Framework 4.x application and runs a CodeQL scan.

name: "CodeQL"

on:
  push:
    branches: {}
  pull_request:
    branches: {}
  schedule:
    - cron: '20 12 * * 4'

jobs:
  analyze-csharp:
    name: Analyze C#
    runs-on: windows-8-cores-latest
    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          lfs: true
      - name: Setup MSBuild
        uses: microsoft/setup-msbuild@v1
      - name: Setup NuGet
        uses: nuget/setup-nuget@v1
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: csharp
      - name: Restore NuGet Packages
        run: nuget restore <path>\<to>\<solution>.sln
      - name: Build Solution
        run: msbuild <path>\<to>\<solution>.sln /t:rebuild /p:Platform="Any CPU" /p:Configuration="Debug"
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:csharp"

Building .NET Framework applications requires you to do some additional work. In particular, you must set up NuGet and MSBuild. You can see in the example above that we are using the microsoft/setup-msbuild and nuget/setup-nuget actions to do this.

Many .NET Framework applications also contain NuGet packages in the repository itself and many of these are tracked using Large File Storage (LFS). You can see in the example above that we are using the actions/checkout action to checkout the repository and we are using the lfs: true option to ensure that LFS files are checked out correctly. This is optional and will not affect your scan if you leave it enabled and your repository does not contain LFS files.

Once we’ve set up our build environment we then run the nuget restore command to restore the NuGet packages, and then we run the msbuild command to build the solution. Once the solution is built we can then run the CodeQL analysis using the github/codeql-action/analyze action.