Troubleshooting LGTM Integration Failures and Skipped Code Analysis

Details: Category: Code Quality; By Mindful Chase; 19.Jul; Hits: 4

LGTM (Looks Good To Me) is a code quality platform that automatically analyzes code changes to detect potential bugs, security vulnerabilities, and anti-patterns. While widely adopted in CI/CD pipelines, especially across large codebases and multi-team repositories, developers and tech leads often face subtle issues when LGTM fails to trigger checks, reports false positives, or breaks builds unexpectedly. These problems tend to arise not from LGTM itself, but due to integration misconfigurations, repo architecture changes, or uncommon code constructs. This article focuses on advanced troubleshooting for when LGTM checks silently skip analysis, produce stale results, or falsely flag clean code—issues critical in enterprise development environments.

Mindful Chase

Writing Code, Writing Stories

tbd

Experience

tbd

More to Explore

Understanding the LGTM Analysis Lifecycle

What Triggers an LGTM Analysis?

LGTM scans are automatically triggered by pull requests or direct commits to monitored branches. Under the hood, LGTM uses CodeQL to parse and analyze source code, storing results in a snapshot for regression comparison. However, changes in repo structure, misaligned language settings, or third-party tool interference can prevent scans from triggering or lead to inconsistent results.

Languages and Monorepo Complexity

LGTM supports multiple languages including JavaScript, Python, Java, C/C++, and C#. For monorepos, each language must be correctly detected and configured. LGTM can silently skip files or modules if incorrect build instructions are provided in the lgtm.yml or if directory structures are too deeply nested.

Root Causes of Skipped or Inaccurate Analysis

1. Improper or Missing lgtm.yml Configuration

If lgtm.yml lacks build steps or uses incorrect paths, LGTM may skip analyzing parts of the codebase without any visible error.

extraction:
  javascript:
    index: ["src/index.js"]
    build_mode: none

2. Failed Dependency Resolution

When LGTM fails to resolve external modules due to missing package managers or incompatible versions (e.g., Maven, npm, pip), it often proceeds with a degraded scan, leading to false positives or missed detections.

3. Language Misidentification

In some polyglot repos, LGTM may misidentify the dominant language, analyzing only partial code segments. This often happens when extensions or uncommon file naming conventions are used.

4. Stale Build Artifacts

LGTM caches builds per commit. If a base commit has stale or broken artifacts, the next scan may inherit those inconsistencies, leading to seemingly unrelated errors.

Diagnostics and Deep Investigation

Review the LGTM Logs

LGTM provides detailed logs for each analysis. Reviewing these logs can reveal missing dependency issues, skipped modules, or malformed configurations.

# Inspect lgtm analysis logs in the platform dashboard
# Look for warnings about dependency resolution or indexing errors

CodeQL Command-Line Replication

For deeper analysis, replicate the scan locally using CodeQL CLI. This allows debugging specific query failures and validating changes before pushing them upstream.

codeql database create my-db --language=javascript --command="npm install"
codeql database analyze my-db codeql-repo/javascript/ql/src

Verify Build Success Under CI Conditions

Ensure the same commands defined in lgtm.yml succeed on a clean environment. Use Docker or CI containers to mimic LGTM's sandboxed build pipeline.

Step-by-Step Fixes

1. Correct and Simplify lgtm.yml

Ensure accurate build instructions. Avoid complex conditionals or environment-variable dependencies that won't resolve on LGTM's platform.

extraction:
  python:
    index: ["app/main.py"]
    build_mode: command
    build_command: "pip install -r requirements.txt"

2. Use Language-Specific LGTM Configuration

Define explicit extraction rules for each language. LGTM's auto-detection fails in hybrid environments unless properly guided.

3. Monitor LGTM PR Checks via API

Use LGTM's status APIs or GitHub Actions to ensure checks are registered on PRs. Skipped checks often stem from token misconfigurations or branch protections.

4. Clean Up Build Dependencies

Ensure deterministic builds. Pin versions in package.json, requirements.txt, or build.gradle to avoid flaky LGTM behavior.

5. Trigger Full Rebuilds on LGTM

When inconsistencies persist, manually trigger a full project rescan from LGTM's dashboard to invalidate cached results.

Best Practices for Stable LGTM Integrations

Keep lgtm.yml under version control and review it during PRs
Pin dependency versions to eliminate transient errors
Write custom CodeQL queries to suppress known false positives
Integrate LGTM alerts into Slack or dashboards for visibility
Periodically review language detection and repo structure alignment

Conclusion

LGTM is a powerful tool when configured correctly, but its integration can be fragile in complex, real-world codebases. Silent failures, skipped scans, and false alerts undermine developer confidence and security posture. By understanding the lifecycle of LGTM analysis, inspecting logs, using CodeQL locally, and maintaining tight configuration discipline, tech teams can ensure accurate, consistent code quality checks at scale.

FAQs

1. Why are LGTM checks not showing up on my PR?

This often results from token misconfigurations, disabled integrations, or incorrect branch targeting in LGTM settings.

2. How do I suppress false positives in LGTM?

You can write custom CodeQL queries with guard clauses or annotate code with suppression comments if supported.

3. Does LGTM support monorepos with multiple build systems?

Yes, but each language and module must be explicitly defined in lgtm.yml. Auto-detection is limited in such setups.

4. Can I run LGTM locally?

No, but you can replicate its analysis using CodeQL CLI, which is the core analysis engine used by LGTM.

5. How do I force LGTM to rescan my project?

Use the LGTM UI to delete snapshots or reconfigure analysis to trigger a fresh scan. Commits alone won't always retrigger scans.

Contact Us