Languages excluded from scan

Question

What does the CodeQL scan issue “Languages excluded from scan” mean and how can I detect it?

Answer

All scannable languages that are used by the application in production, including infrastructure as code (IaC) files (Docker, Kubernetes, Terraform, etc), must be included in the scan.

This scan issue indicates that the developer has excluded one or more languages from the scan in the validation request form. The languages may either be explicitly excluded or may be implicitly excluded by limiting which directories are scanned.

How to detect

This issue is detected by viewing the excluded languages and included directories fields provided in the validation request form submitted along with the validation request.

If either field appears to either explicitly or implicitly exclude scannable languages in production code and does not include an explanation as to why they are excluded, this issue will be reported.

For example, if the Dockerfile language is explicitly excluded or the list of included directories does not include a kubernetes or terraform directory that is present in the code base and the exclusion does not include an acceptable reason why they are excluded, then this is an issue.

Note that if the exclusion is obviously not production code (for example, all python code is in a test directory), this issue will not be counted against passing, however documenting the exclusion is still strongly recommended.