How to exclude languages that cannot be scanned

Question

I received a pull request to enable CodeQL scanning in my applications GitHub repository, but have some code that cannot be scanned. How do I exclude a language from being scanned?

This is Step #3 for configuring CodeQL scans for both GitHub CI and Jenkins CI. This step is performed after the updating the emass.json file and before the update when scans are run step for GitHub CI and before removing the codeql-analysis workflow step on Jenkins CI.

Answer

Note: Some languages are mapped to other language packs in CodeQL. For example, typescript is mapped to javascript, kotlin to java, and C to C++. To learn more about this please check out the how are repo languages identified technical note.

While the pull request has automatically identified all eligible languages used in the repository for analysis, the automation is unable to determine if your code is actually able to be analyzed. For code to be analyzed it must contain an entry-point, i.e., it must call some function, or contain a main() method. Code that is simply a library of functions that are not called in your application is not able to be analyzed with CodeQL.

If you need to remove a language from the scan because it is not able to be analyzed, there are two steps to exclude the language:

1. (required, if using GitHub Actions) Remove language from list of scanned lanuages: Edit the workflow file included in the CodeQL enablement pull request, codeql-analysis.yml to remove the language from the list of languages in the strategy section. The strategy section might look as follows:

      strategy:
        fail-fast: false
        matrix:
          language:
            - java
            - javascript
   

2. (optional) Exclude language from alerts: By default, any CodeQL-scannable language that is used in your repository must be scanned. If you removed a language in the step above, the system owner will receive periodic alerts that the removed language is not scanned. If you want to avoid getting these alerts, edit the pull request by adding the file, codeql.yml to the .github directory and add information about the languages to exclude as follows:

    excluded_languages:
      - name: language1
        reason: "Justification for why this language is excluded"
      - name: language2
        reason: "Justification for why this language is excluded"
   

   As an example, if your repository contained JavaScript and C++ and you wished to ignore the JavaScript language, your codeql.yml would look like this:

    excluded_languages:
      - name: javascript
        reason: "Repository contains only library code and no executable code"
   

Once the changes are complete, commit the changes to the pull request branch.

References

The CodeQL enablement pull request contains direct links to files in the PR that are referenced in this technical note. The following links in the PR are referenced here:

• Edit CodeQL Analysis Workflow - links to the file codeql-analysis.yml
• Add Excluded Languages List - links to the .github directory where the file codeql.yml should be added

---

Return to enable CodeQL using GitHub CI or using Jenkins CI to continue with the next step.