Skip to content

CodeQL scanning of transitive private repository dependency #18780

New issue
New issue
Open
Open
CodeQL scanning of transitive private repository dependency#18780
Labels
questionFurther information is requested
@einar-notland

Description

@einar-notland
einar-notland
opened on Feb 14, 2025

Hi,

Our company manages two separate organization accounts on GitHub.

In Organization A, we successfully use CodeQL to scan our repositories. However, we are encountering an issue when integrating a repository from Organization B into a repository in Organization A using Swift Package Manager.

To access the private repository from Organization B, we have added a keychain entry, which works well for standard builds. Unfortunately, it fails during CodeQL scanning.

I suspect there may be a mechanism in place to prevent circumvention of licensing through transitive scanning. Is this correct? I believe that only Organization A holds the license for CodeQL in private repositories.

The reason for my suspicion, is that before we added the keychain entry, it just failed stating it could not access repo in org B. But now that the keychain entry is in place, it starts downloading from org B, but never succeeds, just stuck on that step.

Thank you for your assistance.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions