Are successful builds (for compiled languages like Java) a pre requisite for code scanning (GHAS) ?

[Rilussion]

Select Topic Area

Question

Body

Code scanning performs autobuilds before CodeQL analysis.

• Why does it requires a successful build (gradle / maven) to perform SAST checks ?
• Can builds be avoided / skipped in CodeQL and what is the recommendation ?
• Is it possible to avoid the build process because another CI process already completed the build and instead use the built artifact for code analysis ?

[aibaars]

Why does it requires a successful build (gradle / maven) to perform SAST checks ?

CodeQL intercepts the compiler calls (e.g. javac) to figure out which files are part of the project, and their dependencies (jar files). This provides CodeQL with the most accurate picture of which source files belong together and the libraries on which they depend.

Can builds be avoided / skipped in CodeQL and what is the recommendation ?

Not yet, but this is a feature we are working on for Java. This "buildless" mode is likely to work as good as the compiled mode for many projects. However, the "compiled" mode is sometimes better because it has access to the exact dependencies and can also analyse code that is generated by the build process.

Is it possible to avoid the build process because another CI process already completed the build and instead use the built artifact for code analysis ?

No, CodeQL does not use the built artifact, so this would not work. Having completed the build already may even cause problems, because many buildtools will skip compilation steps if the build artifacts are already present. As a result CodeQL won't see any source code, because there are no compiler calls.