How to scan monorepos
Question
I operate a monorepo or have a need to split my scans into multiple workflows to scan individual subdirectories, how do I do that?
This is Step #7 for configuring CodeQL scans for GitHub CI This step is performed after the updating where scans run step and before the merge pull request step.
Answer
Note: This step is optional and is only required for monorepos or if for some other reason you need to scan only a subset of the code in your repository or if you need to break out scans by directory into separate scans. Access to this functionality requires first opening a pull request to add your repository to the allowed list here. The OIS team will review your request and provide instructions for accessing the
MONOREPO_ALLOWLIST_CREDENTIALSsecret.
CodeQL scans can be configured to scan only a subset of the code in a repository. This is done by using the path and config properties in the with section of the workflow file. If you are scanning a compiled language, the path property is the working directory where your build commands will be called from. If you are scanning an interpreted language, the config property is a YAML block that contains a list of paths to scan, or ignore. Note that the config property is only used for interpreted languages, and you do not have to provide both a paths and paths-ignore property in the YAML block.
Example
steps:
- name: Run Code Scanning
uses: department-of-veterans-affairs/codeql-tools/codeql-analysis@main
with:
allowlist_credentials: ${{ secrets.MONOREPO_ALLOWLIST_CREDENTIALS }}
config: |
paths:
- src/platform
- src/backend/**/application
paths-ignore:
- src/platform/v1
- src/backend/**/application/v1
language: ${{ matrix.language }}
path: src
Return to enable CodeQL using GitHub CI to continue with the next step.