{"meta":{"title":"对编译语言进行 CodeQL 代码扫描","intro":"了解如何 CodeQL 分析已编译的语言、可用的生成选项,并了解如果需要,如何自定义数据库生成过程。","product":"安全性和代码质量","breadcrumbs":[{"href":"/zh/code-security","title":"安全性和代码质量"},{"href":"/zh/code-security/how-tos","title":"How-tos"},{"href":"/zh/code-security/how-tos/find-and-fix-code-vulnerabilities","title":"查找和修复代码漏洞"},{"href":"/zh/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration","title":"管理系统配置"},{"href":"/zh/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages","title":"用于编译语言的 CodeQL"}],"documentType":"article"},"body":"# 对编译语言进行 CodeQL 代码扫描\n\n了解如何 CodeQL 分析已编译的语言、可用的生成选项,并了解如果需要,如何自定义数据库生成过程。\n\n\n## Compare build modes\n\n
\n\n| Build mode characteristic | None | Autobuild | Manual |\n| ----------------------------------------------------------- | ------------------------------ | ---------------------------------- | --------------- |\n| Used by default setup and for organization-level enablement | Yes (C/C++, C#, Java and Rust) | Yes, where `none` is not supported | No |\n| Analysis succeeds without user configuration | Yes | Variable | No |\n| Completeness of analysis | Generated code not analyzed | Variable | User controlled |\n| Accuracy of analysis | Good | Good | Best |\n\n
\n\n## Choose a build mode\n\nWhen you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.\n\nFor language-specific `autobuild` behavior, runner requirements, and build-mode details for compiled languages, see [CodeQL build options and steps for compiled languages](/en/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages).\n\n## Use multiple build modes in a multi-language repository\n\nFor repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.\n\n```yaml\nstrategy:\n matrix:\n include:\n # Analyzes C and C++ code using the commands in `Build C and C++ code`\n - language: c-cpp\n build-mode: manual\n # Analyzes C# code by automatically detecting a build\n - language: csharp\n build-mode: autobuild\n # Analyzes Java code directly from the codebase without a build\n - language: java-kotlin\n build-mode: none # analyzes Java only\nsteps:\n- name: Checkout repository\n uses: actions/checkout@v6\n\n# Initializes CodeQL tools and creates a codebase for analysis.\n- name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n- if: ${{ matrix.build-mode == 'manual' }}\n name: Build C and C++ code\n run: |\n echo 'If you are using a \"manual\" build mode for one or more of the' \\\n 'languages you are analyzing, replace this with the commands to build' \\\n 'your code, for example:'\n echo ' make bootstrap'\n echo ' make release'\n exit 1\n```\n\nFor information about the languages, libraries, and frameworks that are supported in the latest version of CodeQL, see [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks) in the CodeQL documentation. For information about the system requirements for running the latest version of CodeQL, see [System requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/#additional-software-requirements) in the CodeQL documentation.\n\n## Enable dependency caching for CodeQL\n\nFor default setup workflows, dependency caching is enabled only for GitHub-hosted runners in public and private repositories.\n\nFor advanced setup workflows, dependency caching is disabled by default. To enable dependency caching for CodeQL, use the `dependency-caching` setting for the CodeQL action in your advanced setup workflow. This setting accepts the following values:\n\n* `false`/`none`/`off`: Dependency caching is disabled (default)\n* `restore`: Only restore existing caches, do not store new caches\n* `store`: Only store new caches, do not restore existing caches\n* `true`/`full`/`on`: Restore existing caches, and store new caches\n\nFor example, the following settings would enable dependency caching for the CodeQL action:\n\n```yaml\n # Initializes CodeQL with dependency caching enabled\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: java\n dependency-caching: true\n```\n\n## Use `none` build mode for CodeQL\n\nFor C/C++, C#, Java and Rust, CodeQL creates a database without requiring a build when you enable default setup for code scanning unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.\n\nCreating a CodeQL database without a build may produce less accurate results than using `autobuild` or manual build steps if:\n\n* The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.\n* The repository normally generates code during the build process.\n\nTo use `autobuild` or manual build steps, you can use advanced setup.\n\n> \\[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See [CodeQL build options and steps for compiled languages](/en/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages#building-java-and-kotlin).\n\n## Use `autobuild` for CodeQL\n\nThe CodeQL action uses `autobuild` to analyze compiled languages in the following cases.\n\n* Default setup is enabled and the language does not support `none` build (supported for C/C++, C#, Java and Rust).\n* Advanced setup is enabled and the workflow specifies `build-mode: autobuild`.\n* Advanced setup is enabled and the workflow has an Autobuild step for the language using the `autobuild` action (`github/codeql-action/autobuild@v4`).\n\n### Use the `build-mode` option\n\n```yaml\n# Initializes the CodeQL tools for scanning.\nname: Analyze\nstrategy:\n matrix:\n include:\n # Analyze C and C++ code\n - language: c-cpp\n build-mode: autobuild\n # Analyze Go code\n - language: go\n build-mode: autobuild\n\nsteps:\n - uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n build-mode: ${{ matrix.build-mode }}\n```\n\n### Use the Autobuild step\n\n```yaml\n # Initializes the CodeQL tools for scanning.\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n\n - name: Autobuild\n uses: github/codeql-action/autobuild@v4\n```\n\n## Specify build steps manually\n\nYou can only specify manual build steps if you have enabled advanced setup, see [Configuring advanced setup for code scanning](/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository).\n\nIf `autobuild` fails, or you want to analyze a different set of source files from those built by the `autobuild` process, you'll need to do the following:\n\n* If your workflow specifies a build mode for the language, change the build mode to `manual`.\n* If your workflow contains an `autobuild` step, remove or comment out the `autobuild` step in the workflow.\n\nThen uncomment the `run` step and manually specify the build process to use. For C/C++, C#, Go, Java, Kotlin, and Swift, CodeQL will analyze whatever source code is built by your specified build steps.\n\nUpdate your workflow to define the `build-mode` as `manual`.\n\n```yaml\n# Initializes the CodeQL tools for scanning.\n- name: Initialize CodeQL\n- uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n build-mode: manual\n- uses: github/codeql-action/analyze@v4\n with:\n category: \"/language:${{ matrix.language }}\"\n```\n\nAlternatively, update your workflow to comment out the \"Autobuild\" step.\n\n```yaml\n # Autobuild attempts to build any compiled languages.\n # - name: Autobuild\n # uses: github/codeql-action/autobuild@v4\n```\n\n### Add build commands\n\nWhen manual building is enabled, uncomment the `run` step in the workflow and add build commands that are suitable for your repository. The `run` step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.\n\n```yaml\n- run: |\n make bootstrap\n make release\n```\n\nFor more information about the `run` keyword, see [Workflow syntax for GitHub Actions](/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun).\n\n\n\nIf you added manual build steps for compiled languages and code scanning is still not working on your repository, contact us through the [GitHub Support portal](https://support.github.com)."}