{"meta":{"title":"About CodeQL code scanning for compiled languages","intro":"Understand how CodeQL analyzes compiled languages, the build options available, and learn how you can customize the database generation process if you need to.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/concepts","title":"Concepts"},{"href":"/en/code-security/concepts/code-scanning","title":"Code scanning"},{"href":"/en/code-security/concepts/code-scanning/codeql","title":"CodeQL"},{"href":"/en/code-security/concepts/code-scanning/codeql/about-codeql-code-scanning-for-compiled-languages","title":"CodeQL for compiled languages"}],"documentType":"article"},"body":"# About CodeQL code scanning for compiled languages\n\nUnderstand how CodeQL analyzes compiled languages, the build options available, and learn how you can customize the database generation process if you need to.\n\n## About the CodeQL analysis workflow and compiled languages\n\nCode scanning works by running queries against one or more CodeQL databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages C/C++, C#, Go, Java, Kotlin, Rust, and Swift, the process of populating this database often involves building the code and extracting data.\n\nWhen you enable code scanning, both default and advanced setup generate a CodeQL database for analysis using the simplest method available. For C/C++, C#, Java and Rust, the CodeQL database is generated directly from the codebase without requiring a build (`none` build mode). For other compiled languages, CodeQL builds the codebase using the `autobuild` build mode. Alternatively, you can use the `manual` build mode to specify explicit build commands to analyze only the files that are built by these custom commands.\n\nYou can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. See [About dependency caching for CodeQL](#about-dependency-caching-for-codeql) later in this article.\n\n## CodeQL build modes\n\nThe CodeQL action supports three different build modes for compiled languages:\n\n* `none` - the CodeQL database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for C/C++, C#, Java and Rust).\n* `autobuild` - CodeQL detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for C/C++, C#, Go, Java, Kotlin, and Swift).\n* `manual` - you define the build steps to use for the codebase in the workflow (supported for C/C++, C#, Go, Java, Kotlin, and Swift).\n\nFor language-specific `autobuild` behavior, runner requirements, and guidance for manual builds, see [CodeQL build options and steps for compiled languages](/en/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages).\n\n## About dependency caching for CodeQL\n\nYou can use dependency caching with CodeQL to store dependencies as a GitHub Actions cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see [Dependency caching reference](/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows).\n\nDependency caching works with all build modes, and is supported by Java, Go, and C#.\n\n> \\[!NOTE]\n> Using dependency caching will store CodeQL-specific caches that will be subject to cache quotas for a repository. See [Dependency caching reference](/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy)."}