When CodeQL scans repositories with Java and/or C# code that depend on packages in private registries—but don’t include those registry addresses in their Maven, Gradle, or NuGet configuration files—the analysis now uses private registry addresses configured at the organization level. This makes it even easier to roll out CodeQL’s Java and C# analysis at scale.

Last year we enabled CodeQL build-mode: none scans to access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This required the addresses of the private registry to be defined in the project configuration. With this change, projects that relied on configurations defined in the build systems or locations external to the project will be able to use private registries.

This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.

This officially marks the end of the preview phase for CodeQL Java/C# private registry support; this feature is now generally available on GitHub.com. It will also roll out with GitHub Enterprise server version 3.18.

OSZAR »