Cannot see results or health status of the tool on Security tab

[omar-gft]

Select Topic Area

Question

Body

Hi All,

So I am working on a private repo (that has GitHub Advanced Security Enterprise) for CodeQL. This repos structure is a monorepo, it represents our backend microservices - every directory in the repo is its own microservice and they are all independent of each other.

The CI workflow that is triggered on every PR raised to our main branch runs the following steps (we integrated our codeql steps into our existing CI workflow)

1. Checkout code
2. Initial CodeQL
   ` # Add the CodeQL init step right after the checkout
   • name: Initialize CodeQL
     uses: github/codeql-action/init@v2
     with:
     languages: 'java' `
3. Path filter, checks which directories were changed in the PR, and sets the folder name as WORKDIR GITHUB ENV variable to be used later on (will show code of the steps it is used on)
4. Multiple folder change check, makes sure only 1 folder was changed since we cannot have multiple folders (i.e. more than one backend microservice) changed at the same time. This step would fail the workflow if it detected multiple directory changes.
5. Setup JDK 17
6. Build with Gradle
   `# Build with Gradle
   • name: Build with Gradle
     run: |
     cd ${{env.WORKDIR}}
     chmod +x ./gradlew
     ./gradlew clean build
     mkdir staging && cp build/libs/*.jar staging
     `
7. Upload Artifacts
8. CodeQL analysis step
   `# Add the CodeQL analysis step after the build
   • name: Perform CodeQL Analysis
     uses: github/codeql-action/analyze@v2
     with:
     category: "/language:java"`

the issue here is that the workflows has been running fine (codeql steps passing) as our developers have been merging PR's to our main branch etc. however, my issue is that when we come to view the code scanning alerts page within the repos security tab i see the following.

I see Configured tools are not scanning the default branch.

indicating something has not been setup correctly, yet when i go to the settings of the repo and see codeql is setup and it is able to state the most recent scan that took place. We do not have any code alerts, however, our other repos with the same setup (they are not monorepos however) are able to display the message that "All tools are working as expected" including some stats for how many lines of code have been extracted and scanned.

Please advise, thanks (:

[jketema]

This is the expected behaviour. The tool status page will only show data for the default branch and not for pull requests. Generally, people not only trigger scans on pull requests, but also on the default branch when something is pushed to it.

[omar-gft]

So a push to the branch or when we create our own branch and propose a change to the codebase via a PR that is raised to be merged into our default branch i.e. develop branch it also runs.

[omar-gft]

What is odd though in another repo we have we have the CodeQL scan triggered in our CI workflow via when a PR to our default branch is triggered and we are seeing the results in the respective security tab.

[jketema]

Ok, in that case this is possibly a bug and we probably need to see more details that you likely don't want to share here. The best way forward would be to go through the official support channels for GHAS for enterprise customers.

[omar-gft]

i see any other suggestions - i have already raised a support ticket still awaiting a proper response from them.

[jketema]

Note that there can be some delay in getting a response from support depending on the time zone in which the support engineer is located.