Looking for best practices on setting up CodeQL analysis with submodules. Currently we are running the analysis from the top repo, but for any alerts in the submodules it reports “Preview unavailable”, “Sorry, we couldn’t find this file in the repository.”
Is there a way to tell CodeQL to look in the submodule repo?
Also we’d really like to run the analysis on submodule pull requests, is there a preferred method? My thought is to checkout the top repo recursively, then checkout the pull request reference and run the analysis and hopefully the report will then actually show the code with the alert? Any better way to tell CodeQL we really only care about alerts from the specific submodule?
EDIT - I did just find the configuration capability to specify directories… so one part solved