CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze C# projects without needing a build. This public beta capability enables organizations to more easily roll out CodeQL at scale. Previously, CodeQL required a working build to analyze C# projects. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of C# repos without manual intervention.
This new way of analyzing C# codebases is now enabled by default for all code scanning users on GitHub.com. CodeQL CLI users can enable this feature using the build-mode: none
flag, starting with version 2.17.6
.
Repositories with an existing code scanning setup, default or advanced, will not experience any changes. If code scanning is working for you today it will continue to work as-is, and there is no need to change your configuration.
- Repositories using code scanning default setup will automatically benefit from this new analysis approach.
- Repositories using advanced setup for code scanning via workflow files will have the option to choose a
build-mode
. The default value for newly configured C# repositories will bebuild-mode: none
. - CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the
--build-mode none
option. Generally, you should set the--build-mode
option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.
The new mechanism for scanning C# is available on GitHub.com and will be available with CodeQL CLI 2.17.6
. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning C# projects without the need for working builds, send us your feedback.