GitHub Advanced Security for Azure DevOps - Dependency Scanning and CodeQL for a C# application using Docker@2 build failing to find code

Question

GitHub Advanced Security for Azure DevOps - Dependency Scanning and CodeQL for a C# application built using task: Docker@2 failing to find code but similar pipeline works for JS.

I’ve got two applications built using the Docker@2 built setups and using GHAS in ADO to scan the code.

The JS based one works OK and both Dependency Scanning and CodeQL return results. But the C# one gives the following error:

CodeQL detected code written in C# but could not process any of it. This can occur if the specified build commands failed to compile or process any code.

- Confirm that there is some source code for the specified language in the project.

- For codebases written in Go, JavaScript, TypeScript, and Python, do not specify an explicit --command.

- For other languages, the --command must specify a "clean" build which compiles all the source code files without reusing existing build artefacts.

##[warning] Error running the 'database finalize' CodeQL command (32)

##[error]Error running the 'database finalize' CodeQL command (32)

Learn more about the scan for the CodeQL build tasks:

Pipeline for the C# one

# Advanced Security Initialize CodeQL v1
# Initializes the CodeQL database in preparation for building.
- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    languages: 'csharp'
    querysuite: 'security-and-quality'

- task: Docker@2
  displayName: Login To Azure Container Registry
  inputs:
    command: login
    containerRegistry: ${{ parameters.ContainerRegistryServiceConnection }}

- task: Docker@2
  displayName: Build Build Docker Image
  inputs:
    containerRegistry: ${{ parameters.ContainerRegistryServiceConnection }}
    repository: ${{ parameters.ImageRepository }}
    command: "build"
    Dockerfile: ${{ parameters.DockerfilePath }}
    buildContext: "."
    tags: |
      $(Build.BuildId)
      latest

# Advanced Security Dependency Scanning v1
# Scan for open source dependency vulnerabilities in your source code.
- task: AdvancedSecurity-Dependency-Scanning@1
  displayName: Dependency Scanning

# Advanced Security Perform CodeQL analysis v1
# Finalizes the CodeQL database and runs the analysis queries.
- task: AdvancedSecurity-Codeql-Analyze@1
  displayName: Perform CodeQL analysis

We've split the docker build and publish tasks to match the JS application that works but the C# fails to find the code.