How to update when scans are run

Question

How do I configure when and how frequently CodeQL scans run on my repository?

This is Step #4 for configuring CodeQL scans for GitHub CI This step is performed after the excluding languages that cannot be scanned step and before the updating the build process step.

Answer

By default, the CodeQL enablement pull request has enabled scans on three different automatic event types: whenever your default branch has code pushed to it, whenever a pull request is opened, and once weekly on a schedule. It also includes the workflow_dispatch trigger which allows you to manually trigger a scan.

An example default run frequency would look like:

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  schedule:
    - cron: '34 15 * * 5'
  workflow_dispatch:

The CodeQL enablement pull request automation has attempted to identify your repositories production branch. It has done this by using the default_branch field of your repository settings. For some repositories, the default branch may not be your production branch, as such you may need to update the codeql-analysis.yml workflow to change the pull_request and push fields to point to your repository’s production branch and then commit those changes back to the pull request branch.

Once you have done this, pushes and pull requests to your production branch will trigger CodeQL scans.

For some repositories using compiled languages, CodeQL scans may take longer to complete than your test suites themselves. In this instance it may not make sense to execute CodeQL on pull requests, instead you may wish to only perform scans on pushes to your production branch. You may update the codeql-analysis.yml workflow and remove the entire pull_request section of the on block. Once you have removed the necessary block, commit those changes back to the pull request branch.

The scheduled trigger must be used. However, the timing of when the scheduled job is run may be changed. Note that scans must be run at least weekly.

For more information on setting frequency of scans, see GitHub’s documentation on Events that trigger workflows.

References

The CodeQL enablement pull request contains direct links to files in the PR that are referenced in this technical note. The following links in the PR are referenced here:

  • Update Production Branch - links to the file codeql-analysis.yml
  • Remove Pull Request Trigger - links to the file codeql-analysis.yml

Return to enable CodeQL using GitHub CI to continue with the next step.