Scannable languages not scanned

Question

What does the CodeQL scan issue “Scannable languages not scanned” mean and how can I detect it?

Answer

This scan issue indicates that the application includes source code written in programming languages that are scannable using CodeQL, but were not scanned. This means that code, i.e., that portion of the codebase for a given application, has not been scanned for potential security issues as a result of CodeQL configuration issues.

How to detect

Three sets of information are required to determine if this is an issue:

  1. Which languages does CodeQL scan
  2. Which languages are used in the application
  3. Which languages have been scanned by CodeQL

If there are languages CodeQL can scan that are in use by the application, but have not been scanned by CodeQL, then this issue must be resolved.

Now let’s look at where we can find each of these.

1. Which languages does CodeQL scan

This information can be found on GitHub’s CodeQL Supported Languages and Frameworks page.

2. Which lanaguages are used in the application

GitHub’s Language API can be used as a first approximation to determine which languages are used by the application. While this can be accessed as an API call, a summary of the languages used is provided on the main page for each repository.

The main languages used are shown at the bottom of the right-hand column of the main repository page. Langauges that only represent a small portion of the code may be grouped into “Other”, however some of those in “Other” may need to be scanned.

Image of Languages section on GitHub repository main page. This one shows Java and Other.

3. Which languages have been scanned by CodeQL

To view which languages have been scanned by CodeQL, follow these steps:

  • Navigate to your application’s GitHub repository and select the “Security” tab:

    Image of tab that says Security

  • On the left-hand side of the “Security overview” page will be a section showing the number of open vulnerability alerts. Select the “Code scanning” menu item to view the alerts:

    Image of vulnerability alert menu with code scanning highlighted

  • Near the top of the page is the Tool Status bar. Select the “Tools” button:

    Image of tool status bar with `Tools` button highlighted.

  • You should now see a CodeQL page that shows “Scanned files” and “Setup types”. The “Scanned files” section shows the languages scanned and number of files scanned and the number of files present in each language.

    Image of scanned files section of page showing C# and JavaScript files scanned.