We're getting spammed by github-code-scanning bot

[magicus]

Since a few week, our project is getting spammed by a bot called github-code-scanning, claiming You have successfully added a new QDJVMC configuration project/qodana.. This is repeated over and over, sometimes multiple times on each PR, see e.g.Wynntils/Wynntils#1417.

We have not changed any settings to allow this bot, and I have searched through all settings I can find to try and stop this, but nothing seem to help. I have also looked through Qodana instructions, and found nothing about this.

We really do like Qodana and would like to keep it, but this is highly annoying.

Why is this happening? How can I disable it?

[brichbash]

Hello,

The github-code-scanning bot is CodeQL which is enabled in your qodana.yml. Unfortunately, I couldn't find a way to disable the comments either. You can remove the github/codeql-action/upload-sarif@v2 step from your workflow configuration. You will still see annotations in your PRs.
Also, you might want to take a look at Qodana Cloud. It will let you view your Qodana results using a beautiful UI. More information on configuring it with GitHub Actions can be found in the documentation.

[magicus]

Thank you for your help! I did not fully understand the difference or relationship between Qodana and CodeQL. I am happy to hear that we can keep using Qodana for PR annotations, and yet get rid of that bot.