> For the complete documentation index, see [llms.txt](https://knowledgebase.autorabit.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://knowledgebase.autorabit.com/product-guides/codescan/codescan-integration/github-actions/integrating-codescan-with-github-actions/multi-branch-scanning.md). # Multi-Branch Scanning ## Introduction This document explains how to set up GitHub Actions workflows to perform CodeScan static analysis on a repository, including a baseline scan for the main branch and multi-branch scanning. Due to limitations in CodeScan/Sonar, special steps are required to manage the master/main branch creation. ## YAML Files Overview
YAMLPurposeNotes
First YAML Option 1Baseline scan on main branch (flexible push/PR)Uses ubuntu-latest; scans changed files only; generates SARIF.
First YAML Option 2Baseline scan on main branch (restricted to main)Uses ubuntu-latest; fails on red quality gate; requires secrets for login.
Second YAMLMulti-branch scanRuns on any branch; push = standard branch analysis; PR = comparison analysis.
## First YAML – Baseline Scan Options ### Option 1 name: CI\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ on:\ push:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ pull\_request:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ jobs:\ build:\ runs-on: ubuntu-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.pullrequest.branch=${{github.head\_ref}}\ sonar.pullrequest.base=${{github.base\_ref}}\ sonar.pullrequest.key=${{github.event.number}}\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif\ path: codescan.sarif *** ### Option 2 name: CI\ on:\ push:\ branches: \[main]\ pull\_request:\ branches: \[main]\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ jobs:\ build:\ runs-on: ubuntu-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ failOnRedQualityGate: true\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ scanChangedFilesOnly: true\ generateSarifFile: true\ failOnRedQualityGate: true\ args: |\ sonar.pullrequest.branch=${{github.head\_ref}}\ sonar.pullrequest.base=${{github.base\_ref}}\ sonar.pullrequest.key=${{github.event.number}}\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif\ path: codescan.sarif *** ## Handling Master/Main Branch Issue * After the first scan, a master branch may exist in CodeScan. * When switching to the second YAML, pushing to main may create an extra main branch. Steps to resolve: 1. Delete the newly created main branch in CodeScan. 2. Rename the master branch to main. 3. Confirm the baseline analysis is associated with the main. *** ## Second YAML – Multi-Branch Scan name: CI\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ SONAR\_SOURCES: force-app\ on:\ push:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ pull\_request:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ jobs:\ build:\ runs-on: macos-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ with:\ fetch-depth: 0\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.branch.name=${{ github.ref\_name }}\ sonar.sources=${{ env.SONAR\_SOURCES }}\ sonar.exclusions=target/\*\*,src/test/java/\*\*\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.pullrequest.key=${{ github.event.pull\_request.number }}\ sonar.pullrequest.branch=${{ github.head\_ref }}\ sonar.pullrequest.base=${{ github.base\_ref }}\ sonar.sources=${{ env.SONAR\_SOURCES }}\ sonar.exclusions=target/\*\*,src/test/java/\*\*\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif *** ## Step-by-Step Workflow 1. Initial Baseline Scan * Add first YAML (Option 1 or 2) to scan main branch. * Push and verify baseline scan on CodeScan. 2. Branch Adjustment * Replace YAML with second YAML * Delete extra main branch in CodeScan if created. * Rename master to main. 3. Multi-Branch Scanning. * Push to other branches to enable scanning. * Verify SARIF upload and analysis in GitHub. *** ## Notes & Considerations * Sonar/CodeScan limitations require the baseline to be on main/master first. * Always fetch full history for PR analysis (fetch-depth: 0). * SONAR\_SOURCES: force-app Incase folder structure is other than DX * SONAR\_SOURCES: src (or) .(. here represents the ROOT FOLDER) * Specifying Root Folder, CodeScan always scans the Root folder mentioned and files within it. * In scenarios where the customer has multiple root folders, using (.) will make sure every root folder in the repo is scanned. *** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://knowledgebase.autorabit.com/product-guides/codescan/codescan-integration/github-actions/integrating-codescan-with-github-actions/multi-branch-scanning.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.