CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze C/C++ projects without needing a build. This capability is in public preview and enables organizations to more easily roll out CodeQL at scale. Previously, CodeQL required a working build to analyze C/C++ projects. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 70% of C/C++ repositories without manual intervention.
This new way of analyzing C/C++ codebases is now enabled by default for all code scanning users on github.com. CodeQL CLI users can enable this feature starting with version 2.21.4 by using the build-mode: none flag.

Repositories with an existing code scanning setup (e.g., default setup or advanced setup) will not experience any changes.

For new code scanning setups:

  • Repositories setting up code scanning through default setup and security configurations will automatically benefit from this new analysis approach.

  • Repositories using advanced setup for code scanning via workflow files will have the option to choose a build-mode. The default value for newly configured C/C++ repositories will be build-mode: none.

CodeQL CLI users that want to enable this feature can now use the --build-mode none flag. For compatibility with existing workflows, if a --build-mode flag is not used, the tool will continue to default to autobuild.

The new mechanism for scanning C/C++ is available on github.com and will be available with CodeQL CLI 2.21.4. While in public preview, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning C/C++ projects without the need for working builds, send us your feedback.