Branch not scanned

Question

What does the CodeQL scan issue “Branch not scanned” mean and how can I detect it?

Answer

By default, CodeQL will only scan the default branch of a repository unless configured to scan additional branches.

This scan issue indicates that a review has been requested for a branch that has not been scanned or has not been scanned recently, so a recent scan for the branch cannot be found.

How to detect

The branch scanned can be determined by reviewing the logs of each CodeQL scan. To determine the branch scanned, follow these steps (please note that the exact form of these steps may vary depending on how scanning is configured):

  • Navigate to your application’s GitHub repository and select the “Actions” tab:

    Image of tab that says 'Actions'

  • Choose a recent CodeQL action run to view. The action name will usually have “CodeQL” in the name and an indication of what triggered the action to be run such as “Scheduled” or “Push on <branch>”. Click on the action run:

    Image of workflow action titles 'Scheduled' with an action name of 'CodeQL'.

  • Next select the job summary of the CodeQL action:

    Image of workflow action jobs page with the 'Matrix: Analyze' job showing '1 job completed'.

  • Next select the next job that ran in the CodeQL action:

    Image of workflow action jobs page with the 'Matrix: Analyze' job showing 'Analyze (javascript)'.

  • At this point you should see a log listing each step of the job being looked at:

    Image of log page with expandable sections for each step of the job.

  • Expand the “Checkout repository” job. This name may vary, but should be whereever the actions/checkout action is run.

    Image of log page with 'Checkout repository' expanded.

  • Finally, expand the “Checking out the ref” step which performs the git checkout which contains the branch being analyzed.

    Image of log page with 'Checking out the ref' expanded.