Skip to content

codeql troubleshooting

Jump to bottom
GitHub Actions edited this page Feb 3, 2026 · 1 revision

GitHub CodeQL Action - Troubleshooting Guide

Problem: "Bad credentials" Error

When running github/codeql-action/init@v4, you may encounter this error:

Error: Encountered an error while trying to determine feature enablement: HttpError: Bad credentials - https://docs.github.com/rest
Warning: An unexpected error occurred when sending a status report: Bad credentials - https://docs.github.com/rest

Root Causes

  1. Invalid or Expired GitHub Token

    • The GITHUB_TOKEN may be expired or revoked
    • The token doesn't have sufficient permissions

  2. Insufficient Permissions

    • Missing security-events: write permission in workflow
    • Missing contents: read permission in job

  3. Feature Enablement Check Failure

    • CodeQL cannot communicate with GitHub API
    • Organization or repository settings may restrict CodeQL

  4. Token Scope Issues

    • GITHUB_TOKEN doesn't have proper scopes
    • Enterprise or organization policies may limit access

Solutions

Solution 1: Add Required Permissions

Ensure your workflow has the correct permissions. Update your workflow file:

permissions:
  contents: write
  pull-requests: read
  actions: read
  checks: write
  statuses: write
  security-events: write  # Required for CodeQL

For the CodeQL job specifically:

codeql-analysis:
  name: CodeQL Analysis
  runs-on: ubuntu-latest
  permissions:
    contents: read
    security-events: write
    actions: read

Solution 2: Use Correct Action Versions

Use v3 or v4 of the CodeQL actions. The example shows v4 but v3 is more stable:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v3  # or @v4
  with:
    languages: javascript-typescript
    build-mode: none

Solution 3: Proper Configuration

Ensure proper build-mode and language settings:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
    languages: javascript-typescript
    build-mode: none  # For interpreted languages
    queries: security-and-quality  # Specify queries explicitly

Solution 4: Feature Enablement Fix

If feature enablement checks fail, add a simple initialization step:

- name: Initialize CodeQL with retry
  uses: github/codeql-action/init@v3
  with:
    languages: javascript-typescript
    build-mode: none
    setup-python-dependencies: false

Solution 5: Verify Repository Settings

  1. Go to your repository settings
  2. Navigate to "Code security and analysis" section
  3. Ensure "GitHub Advanced Security" is enabled
  4. Ensure "Code scanning / Default" is enabled
  5. Check organization policies aren't blocking CodeQL

Solution 6: Check Repository Access

# Verify the token has access
curl -H "Authorization: token $GITHUB_TOKEN" \
  https://api.github.com/repos/OWNER/REPO

# Check CodeQL enablement
curl -H "Authorization: token $GITHUB_TOKEN" \
  https://api.github.com/repos/OWNER/REPO/code-scanning/alerts

Implementation in Your Project

The unified-ci.yml workflow has been updated with:

  1. ✅ Required security-events: write permission
  2. ✅ CodeQL job with proper permissions scope
  3. ✅ Correct action versions (@v3)
  4. ✅ Proper language and build-mode configuration
  5. ✅ Integration with final report
  6. ✅ Configuration file at .github/codeql-config.yml

Running CodeQL Locally

To test CodeQL configuration locally:

# Install CodeQL CLI
# Visit: https://github.com/github/codeql-cli-binaries/releases

# Create a database
codeql database create codeql-db --language=javascript-typescript

# Run analysis
codeql database analyze codeql-db \
  --format=sarif-latest \
  --output=results.sarif \
  javascript-typescript

Common Parameters

Parameter Values Notes
languages javascript-typescript, python, java, cpp, csharp, go, ruby Comma-separated for multiple
build-mode none, autobuild, manual Use 'none' for interpreted languages
queries security-and-quality, security-extended Determines analysis depth
config-file path/to/config.yml Optional configuration file

API Rate Limits

The "Bad credentials" error can also occur due to:

  • Rate limiting: GitHub API rate limits exceeded
  • Organization policies: GHES (GitHub Enterprise Server) restrictions
  • Team settings: Advanced Security not available

Getting Help

  1. Check GitHub Actions logs for full error details
  2. Review CodeQL documentation: https://codeql.github.com/docs/
  3. Visit: https://github.com/github/codeql-action/issues
  4. Check GitHub Community Support: https://github.community/

Files Modified/Created

  • .github/workflows/unified-ci.yml - Added CodeQL job
  • .github/codeql-config.yml - Created configuration file

Next Steps

  1. Verify all required permissions are set
  2. Check repository Code security settings
  3. Run workflow and monitor logs
  4. Review security alerts in repository

📚 Ressources

🤝 Contribuer

Les contributions sont bienvenues ! Voir CONTRIBUTING.md

This documentation is automatically synced from the main repository.

Navigation

Clone this wiki locally