{"meta":{"title":"Running CodeQL code scanning in a container","intro":"You can run code scanning in a container by ensuring that all processes run in the same container.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/tutorials","title":"Tutorials"},{"href":"/en/code-security/tutorials/customize-code-scanning","title":"Customize code scanning"},{"href":"/en/code-security/tutorials/customize-code-scanning/running-codeql-code-scanning-in-a-container","title":"Code scanning in a container"}],"documentType":"article"},"body":"# Running CodeQL code scanning in a container\n\nYou can run code scanning in a container by ensuring that all processes run in the same container.\n\n## About code scanning with a containerized build\n\nIf you're configuring code scanning for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message \"No source code was seen during the build.\" This indicates that CodeQL was unable to monitor your code as it was compiled.\n\nYou must run CodeQL inside the container in which you build your code. This applies whether you are using the CodeQL CLI or GitHub Actions. For the CodeQL CLI, see [Using code scanning with your existing CI system](/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system) for more information. If you're using GitHub Actions, configure your workflow to run all the actions in the same container. For more information, see [Example workflow](#example-workflow).\n\n> \\[!NOTE]\n> The CodeQL CLI is currently not compatible with non-glibc Linux distributions such as (musl-based) Alpine Linux.\n\n## Dependencies for CodeQL code scanning\n\nYou may have difficulty running code scanning if the container you're using is missing certain dependencies (for example, Git must be installed and added to the PATH variable). If you encounter dependency issues, review the list of software typically included on GitHub's runner images. For more information, see the version-specific `readme` files in these locations:\n\n* Linux: <https://github.com/actions/runner-images/tree/main/images/ubuntu>\n* macOS: <https://github.com/actions/runner-images/tree/main/images/macos>\n* Windows: <https://github.com/actions/runner-images/tree/main/images/windows>\n\n## Example workflow\n\nThis sample workflow uses GitHub Actions to run CodeQL analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see [Workflow syntax for GitHub Actions](/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer).\n\n```yaml\nname: \"CodeQL\"\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n  schedule:\n    - cron: '15 5 * * 3'\n\njobs:\n  analyze:\n    name: Analyze\n    runs-on: ubuntu-latest\n    permissions:\n      security-events: write\n      actions: read\n\n    strategy:\n      fail-fast: false\n      matrix:\n        language: [java-kotlin]\n\n    # Specify the container in which actions will run\n    container:\n      image: codeql-container:f0f91db\n\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v6\n      - name: Initialize CodeQL\n        uses: github/codeql-action/init@v4\n        with:\n          languages: ${{ matrix.language }}\n      - name: Build\n        run: |\n          ./configure\n          make\n      - name: Perform CodeQL Analysis\n        uses: github/codeql-action/analyze@v4\n```"}