There are several approaches you can try to reduce the build time in a code scanning analysis.
Increase the memory or cores
If you're using GitHub-hosted runners for your code scanning analysis, consider upgrading to 大型运行器. These are GitHub-hosted runners with more RAM, CPU, and disk space than standard runners. For more information about 大型运行器 and code scanning, see 使用较大运行器 and Configuring larger runners for default setup.
If you're using self-hosted runners to run code scanning analysis, you can increase the memory or the number of cores on those runners. If you're using CodeQL with advanced setup for your analysis, review the recommended hardware resources for CodeQL to make sure your self-hosted runners meet those requirements. For more information, see 推荐用于运行 CodeQL 的硬件资源.
Use matrix builds to parallelize the analysis
To speed up analysis of workflows that involve multiple jobs, you can modify your workflow to use a matrix. For more information, see 在工作流中运行作业的变体.
The default CodeQL 分析工作流程 uses a matrix of languages, which causes the analysis of each language to run in parallel. However, if you're using CodeQL with advanced setup and you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. In this configuration, you can speed up your analysis by modifying your advanced setup workflow to use a matrix. For an example, see the workflow extract in Some languages were not analyzed with CodeQL advanced setup.
Reduce the amount of code being analyzed in a single workflow
Analysis time is typically proportional to the amount of code being analyzed. If you're using CodeQL with advanced setup, you can reduce the analysis time by reducing the amount of code being analyzed at once. For example, by excluding test code, or breaking analysis into multiple workflows that analyze only a subset of your code at a time.
对于 Java、Kotlin、Go、C、C++ 和 C# 等编译语言,CodeQL 分析在工作流运行过程中生成的所有代码。 要限制要分析的代码量,请通过在 run 块中指定自己的生成步骤,仅生成要分析的代码。 可以将指定自己的生成步骤与对 pull_request 和 push 事件使用 paths 或 paths-ignore 筛选器相结合,以确保工作流仅在特定代码更改时运行。 有关详细信息,请参阅“GitHub Actions 的工作流语法”。
对于 JavaScript、Python 和 TypeScript 等语言,CodeQL 分析而不编译源代码,你可以指定其他配置选项来限制要分析的代码量。 有关详细信息,请参阅“Customizing your advanced setup for code scanning”。
If you split your CodeQL analysis into multiple workflows, we still recommend that you have at least one workflow which runs on a schedule which analyzes all of the code in your repository. Because CodeQL analyzes data flows between components, some complex security behaviors may only be detected on a complete build.
Run only during a schedule event
You may find that your analysis is slow during push or pull_request events. If so, you can set your analysis to only trigger on the schedule event. If you're using CodeQL for your code scanning analysis, you can configure this with an advanced setup workflow, but not in default setup. For more information, see 了解 GitHub Actions.
Check which queries or rules the workflow runs
Another option to reduce analysis time is to run only the queries or rules that you consider critical in workflows that run on pull requests. If you use a third-party tool for code scanning, you should refer to the documentation for the tool.
In CodeQL, there are two main query suites available for each language. If you have optimized the CodeQL database build and the process is still too long, you could reduce the number of queries you run. The default query suite is run automatically: it provides the best possible compromise between quality and speed.
If you're using CodeQL with advanced setup, you may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the queries element. You can experiment with disabling the additional query suite or queries. For more information, see Customizing your advanced setup for code scanning.