Fixed code scanning alerts still show up as open


I’ve been reading through the code scanning docs and after configuring it for my repo it flagged some issues which was great. Then I did some pushes to fix some of the issues and they got marked as “Fixed”. However they still show on the “is:open” filter and they count towards the total number of security issues on the “Security tab” of the repo.

On the Fixing an alert doc it says:

“If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking Closed. […] The “Closed” list shows fixed alerts and alerts that users have closed.”

This is happening to me on this public repo of mine. The filter is:open "Useless assignment to local variable" on code scanning shows what I mean, it returns 3 fixed alerts.

Am I missing something obvious? Shouldn’t the fixed alerts be in the closed state?

After talking with GitHub support this was the solution I was given that worked for me:

Hello Eduardo,

I heard back from engineering and the reason that the alerts are open is because they are open in a previous stale configuration that is no longer updated. This happened when the analysis file was renamed and left the analyses under the old name stale.

This can be detected through the API, by using the list analyses request (Code scanning - GitHub Docs). From that response you can see multiple analyses that has “deletable”: true and with different values in the category field.

To fix it you should delete all the stale configurations using the delete API (Code scanning - GitHub Docs). Note that if a particular configuration has had several deliveries, then older analyses become deletable when the most recent one is deleted (the delete works as an undo operation) and they also need to be deleted."

This problem happened to me because I had ran an initial CodeQL scan and then renamed the workflow for CodeQL.

Hope this helps others.