Skip to main content
Last updated: 25 Apr 2025

CodeQL

CodeQL is a Static Application Security Testing (SAST) tool which checks for vulnerability signatures in a repository’s codebase. It’s configured as a reusable workflow and should be included as a job in the CI pipeline of all GOV.UK repositories. The reusable workflow enables enhancements to the scanning process to be managed centrally.

Add CodeQL to a project

To use the CodeQL reusable workflow, add the following job to the jobs section of your CI workflow:

codeql-sast:
  name: CodeQL SAST scan
  uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main
  permissions:
    security-events: write

Where to find Security Alerts

To find the security alerts for a repo, go to the Security tab of the repo and select the Code Scanning option in the Vulnerability Alerts sub menu. This is where all alerts can be found.

Additionally, when a PR is created, CodeQL scans the diff to identify vulnerabilities in the new code. These PR specific alerts can be found on the Checks tab of the PR: select “Code scanning results” and then “CodeQL”.

Dealing with Security Alerts

See this guidance on security alerts.

Troubleshooting

CodeQL scans may fail because they cannot find source code for a specified language, despite detecting other languages:

Extracting javascript
Extracting ruby
Finalizing javascript
Finalizing ruby
  /opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby
  CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build .
  Error: Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby". Exit code was 32 and last log line was: CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details.

There currently is no solution to this problem. Removing all code in the problematic language might resolve the issue, but this is not a viable solution for most projects.