How to update where your scans are run
Question
My repository requires access to resources protected by the Veterans Affairs firewall (e.g., internal Nexus repositories), how can I configure which GitHub Actions runners the scans are run on?
This is Step #6 for configuring CodeQL scans for GitHub CI This step is performed after the updating build process step and before the scan subdirectories and split tests step.
Answer
Some repositories require access to resources protected by the Veterans Affairs firewall. If you require access to resources behind the firewall, you will need to run CodeQL scans on self-hosted GitHub runners or in your third-party build system, such as Jenkins. If your repository uses existing self-hosted runners, whether on AWS, Azure, or somewhere else, you may specify those build systems by updating the runs-on label in the codeql-analysis.yml file and committing those changes back to the pull request branch.
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
If the CodeQL enablement pull request fails to run successfully, your repository requires access to resource behind the firewall, and you use Jenkins as your repository build system, please refer to the Using CodeQL with Jenkins technical note.
References
The CodeQL enablement pull request contains direct links to files in the PR that are referenced in this technical note. The following links in the PR are referenced here:
- Update runs-on Configuration - links to the
codeql-analysis.ymlfile
Return to enable CodeQL using GitHub CI to continue with the next step.