Source code not scanned

Question

What does the CodeQL scan issue “Source code not scanned” mean and how can I detect it?

Answer

This scan issue indicates that CodeQL did not scan all files for one or more languages. If these files are part of the application and should be included in the scan, the scan must be adjusted to include those files.

How to detect

The following steps may be taken to determine if there are any files not scanned in a repository:

  • Navigate to your application’s GitHub repository and select the “Security” tab:

    Image of tab that says Security

  • On the left-hand side of the “Security overview” page will be a section showing the number of open vulnerability alerts. Select the “Code scanning” menu item to view the alerts:

    Image of vulnerability alert menu with code scanning highlighted

  • Near the top of the page is the Tool Status bar. Select the “Tools” button:

    Image of tool status bar with `Tools` button highlighted.

  • You should now see a CodeQL page that shows “Scanned files” and “Setup types”. The “Scanned files” section shows the number of files scanned and the number of files present in each language. If all files were not scanned, then further investigation is required. In the upper right-hand corner of this section there’s a download button as highlighted below. Click on it to download a CSV file with details:

    Image of scanned files section of page with download button highlighted.

  • The downloaded CSV will list all the files associated with each language scanned along with a “Succesfully Extracted” column. Any file where this file lists “FALSE” for “Successfully Extracted” was not scanned and the developer must determine whether the file should be scanned.

    Image of CSV file with header line and one line of data where the `Successfully Extracted` column shows a value of FALSE.