Trying to configure my codeql.yml to ignore paths in the codeql scan.

[kencrismoncw]

I would like to know how to configure my codeql.yml Action to ignore various folders as part of the codeql scan. My language stack is 'Python' and 'Javascript'. I;ve tried the paths-ignore: at the root of my yaml just under the name: attribute. That causes the yaml to NOT parse.

I've also tried the:

• name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v2
  with:
  queries: security-extended,security-and-quality
  ignore_paths: sandbox,test-apps

That allows the scan to run however I get a warning that the ignore_paths is not a valid property and is being ignored.

Here is the warning I get...

Analyze (javascript)Unexpected input(s) 'queries', 'ignore_paths', valid inputs are ['check_name', 'output', 'upload', 'cleanup-level', 'ram', 'add-snippets', 'skip-queries', 'threads', 'checkout_path', 'ref', 'sha', 'category', 'upload-database', 'wait-for-processing', 'token', 'matrix', 'expect-error']

So, I am stumped and need a little bump/nudge in the right direction.

Thoughts?

[aibaars]

There are a number of properties for the github/codeql-action/init step: config-file, config and queries.

A configuration file is a yaml document containing properties like paths, path-ignore and queries. You can either use a separate file or include the yaml text directly in your workflow file using the config property. More information can be found at https://aka.ms/code-scanning-docs/config-file

[pnacht]

According to the docs, paths-ignore is only valid for some interpreted languages (Python, Ruby, and JavaScript/TypeScript).

If you are using another language, then you should remove the autobuild step and configure the build yourself, omitting whatever files or directories shouldn't be included.

[OZZlE]

I added this, nothing changed (for JavaScript/TypeScript)

[flagrant99]

I am not using auto-build. Code Scanning Tools still lists all .cs files in repo even though some of those are for testing and should not be scanned. It says 80% of .cs files are scanned.

• name: 🔨 BuildQL
  working-directory: ${{env.GITHUB_WORKSPACE}}
  run: pwsh ..github\ois\codeql\DoCodeQLBuild.ps1

  • name: Perform CodeQL Analysis
    id: analyze
    uses: github/codeql-action/analyze@v2
    with:
    category: "/language:${{matrix.language}}"

Ultimately I'd like ability to exclude root\testing dir or something so we can see 100% Code Coverage.