Dependabot cannot run CodeQL with error: 1 configuration not found

[ianhirschfeld]

Select Topic Area

Bug

Body

It seems like this is a bug, but not sure if I am missing a setting.

I have a repo setup with CodeQL, which runs correctly on any pull requests made by a contributor, however when our weekly dependabot scan creates PRs the checks always are blocked at the CodeQL Analyze step. The error is:

1 configuration not found

Warning: Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/main was not found

My workflow.yml: https://gist.github.com/ianhirschfeld/4b44f863393f4d28e0d0b9ac086928a5

[ianhirschfeld]

Adding that, pushing an empty commit to the PR, kicks off the checks again which will then run codeql analyze properly

[ginsbach]

Thank you for reporting this!
Can you please share the Workflow file? You can see it linked at the bottom left when you click Details.

[ianhirschfeld]

Added to the main post, here is the link: https://gist.github.com/ianhirschfeld/4b44f863393f4d28e0d0b9ac086928a5

[ginsbach]

Thank you! It looks like you are using the default setup for code scanning, is that correct?

Default setup will not run on PRs from Dependabot.

You will have to switch to advanced setup to remove the requirement for the "Analyze" job and instead use https://github.blog/changelog/2021-06-03-control-which-code-scanning-alerts-cause-a-pull-request-check-to-fail/

[ianhirschfeld]

Gotcha, thank you! I will try that and update here once I verify

[ianhirschfeld]

sorry I thought I came back to this thread, using the advanced setup helped resolve this, thank you!

[Vivihung]

@ianhirschfeld - I hit the same error but I already have the advanced codeql.yml setup. What's inside your codeql.yml? Could you please share a link or an example? Thank you.

[ianhirschfeld]

@Vivihung so sorry I never saw this, if it is still helpful this is what I have in my codeql.yml that ignores dependabot:

jobs:
  analyze:
    # Not for dependabot
    if: ${{ github.actor != 'dependabot[bot]' }}
    # ...

[jwstric2]

has this discussion been considered active feature/issue for using the default setup for code scanning with dependabot. The "default" setup greatly simplifies (especially enterprise organization) policies and enforcenments. Thus far I haven't had a use case to consider advanced setup; well until dependabot.

What more interesting, seems you can't put a bypass in for dependabot (at least what I have seen). The bypass only work if you have active results that can be analyzed, not that you don't have results. For now we had to disable enforcement; consideration to move to advanced but wanted to see if there are options 6 months later from when this issue was first opened.

[ThosRTanner]

I've been getting this as well, and I'm also using the advanced setup (something I have no choice about because the default codeql fails horribly if you're trying to build only for windows)

 GitHub Advanced Security / CodeQL completed Mar 15, 2025 in 2s
1 configuration not found

Warning: Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/master was not found:
Default setup

    ❓  /language:actions

I'm quite confused by the language name of "actions" here.

FWIW, my codeql file is here: https://github.com/ThosRTanner/notepad-pp-linter/blob/master/.github/workflows/codeql-analysis.yml

[jsoref]

My guess is that actions came from https://github.com/ThosRTanner/notepad-pp-linter/blob/2cedc2f30643beaa1f7c35b7d0d13efce7598f77/.github/workflows/codeql-analysis.yml#L32

there are a bunch of places where the init action (arbitrarily) picks the first language in the list, e.g.:
https://github.com/github/codeql-action/blob/5eb3ed6614230b1931d5c08df9e096e4ba524f21/src/init-action.ts#L423-L425

[jlangford3]

I was able to get past this issue by updating my branch (merging from main) and re-running the checks. If it is out-of-date the scan will show the same configuration issue as above.