In the code scanning alerts, there is a filter to only show alerts in application code. What exactly does this mean? Is there a way to configure what is considered to be application code in CodeQL vs test code?
Hi there, thanks for your question. I’m one of the engineers on Code Scanning at GitHub.
“Application code” in this case means code that is not:
- third-party (vendor) code
- code generated by the build process
At present, there’s no way to configure what code is marked as not application code, I’m afraid.
Performing additional processing on the SARIF output from the scanning tool may be a possible workaround here, but I’m not familiar with the details of this option so would need to pull in someone else if it’s an area you’d like to explore further.
Hope this is helpful. Thanks.
I would be interested in the workaround option if possible.
I am specifically looking for a workaround to ignore or filter test code from application code in CodeQL. I know that paths-ignore does not work for C code and I cannot use the command rm.
I don’t think there is a simple solution here.
The easiest from my perspective would be to not build the test code when you build your CodeQL database.
The database will only contain the source code that is compiled while you build the database, so if you have a make-target that doesn’t build your test sources, they’ll not make it into the database, either.