From 4a3d0f9262b5c981dccafadfe917c7f560bb020c Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 26 Jan 2026 04:22:51 -0800 Subject: [PATCH 1/3] Update CodeQL CLI manual (#59204) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../codeql/codeql-cli-manual/bqrs-decode.md | 4 ++-- .../codeql/codeql-cli-manual/bqrs-info.md | 4 ++-- .../codeql/codeql-cli-manual/database-analyze.md | 14 +++++++------- .../codeql/codeql-cli-manual/database-bundle.md | 7 +++++++ .../codeql/codeql-cli-manual/database-create.md | 14 +++++++------- .../database-export-diagnostics.md | 2 +- .../codeql/codeql-cli-manual/database-finalize.md | 8 ++++---- .../codeql/codeql-cli-manual/database-import.md | 4 ++-- .../codeql-cli-manual/database-index-files.md | 12 ++++++------ .../codeql/codeql-cli-manual/database-init.md | 10 +++++----- .../database-interpret-results.md | 10 +++++----- .../codeql-cli-manual/database-print-baseline.md | 4 ++-- .../codeql-cli-manual/database-run-queries.md | 10 +++++----- .../codeql-cli-manual/database-trace-command.md | 8 ++++---- .../codeql/codeql-cli-manual/database-unbundle.md | 2 +- .../codeql/codeql-cli-manual/database-upgrade.md | 4 ++-- .../codeql/codeql-cli-manual/dataset-upgrade.md | 6 +++--- .../codeql-cli-manual/execute-language-server.md | 2 +- .../codeql/codeql-cli-manual/execute-queries.md | 6 +++--- .../codeql-cli-manual/execute-query-server2.md | 6 +++--- .../codeql/codeql-cli-manual/execute-upgrades.md | 4 ++-- .../codeql-cli-manual/generate-overlay-changes.md | 2 +- .../codeql-cli-manual/github-merge-results.md | 2 +- .../codeql-cli-manual/github-upload-results.md | 2 +- .../codeql/codeql-cli-manual/query-compile.md | 2 +- .../codeql/codeql-cli-manual/query-run.md | 10 +++++----- .../codeql/codeql-cli-manual/resolve-qlpacks.md | 2 +- .../codeql/codeql-cli-manual/test-accept.md | 2 +- .../codeql/codeql-cli-manual/test-extract.md | 2 +- .../codeql/codeql-cli-manual/test-run.md | 4 ++-- 30 files changed, 88 insertions(+), 81 deletions(-) diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode.md index d4ccd0be4a9c..bba5d9e1871a 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode.md @@ -53,7 +53,7 @@ The file to write the desired output to. #### `-r, --result-set=` Select a particular result set from the BQRS file to decode. The -available results sets can be listed by [codeql bqrs info](/code-security/codeql-cli/codeql-cli-manual/bqrs-info). +available results sets can be listed by [codeql bqrs info](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info). If no result set is selected, all result sets will be decoded, provided the selected output format and processing options support that. @@ -116,7 +116,7 @@ at the top, or at the location given by `--start-at`. #### `--start-at=` \[Advanced] Start printing the row defined at a particular byte offset -in the BQRS file. The offset must be gotten from [codeql bqrs info](/code-security/codeql-cli/codeql-cli-manual/bqrs-info), or from the "next" pointer found in JSON output from a previous invocation with `--rows` +in the BQRS file. The offset must be gotten from [codeql bqrs info](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info), or from the "next" pointer found in JSON output from a previous invocation with `--rows` set. Other offsets are likely to produce nonsense output and/or explicit errors. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info.md index 1092d174b55a..45fb8f1712a7 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info.md @@ -41,7 +41,7 @@ names and sizes of each result set (table) in the BQRS file, and the column types of each result set. It can also optionally precompute offsets for using the pagination -options of [codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode). This is mainly useful for IDE plugins. +options of [codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode). This is mainly useful for IDE plugins. ## Options @@ -61,7 +61,7 @@ Select output format, either `text` _(default)_ or `json`. \[Advanced] When given together with `--format=json`, compute a table of byte offsets that can later be given to the `--start-at` option of -[codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode), to start streaming results at positions 0, _\_, 2\*_\_, and so +[codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode), to start streaming results at positions 0, _\_, 2\*_\_, and so forth. #### `--paginate-result-set=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze.md index 1e8328c19e76..8ce6339ff807 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze.md @@ -42,9 +42,9 @@ Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as alerts or paths, in SARIF or another interpreted format. -This command combines the effect of the [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) and [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results) commands. If you want to run queries whose results _don't_ meet the requirements for +This command combines the effect of the [codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) and [codeql database interpret-results](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results) commands. If you want to run queries whose results _don't_ meet the requirements for being interpreted as source-code alerts, use -[codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run) instead, and then [codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode) to convert the raw results to a readable notation. +[codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run) instead, and then [codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode) to convert the raw results to a readable notation. ## Options @@ -152,7 +152,7 @@ all queries. It loads query help for /path/to/query.ql from the /path/to/query.md file. If this flag is not supplied the default behavior is to include help only for custom queries i.e. those in query packs which are not of the form \`codeql/\` @@ -167,7 +167,7 @@ queries i.e. those in query packs which are not of the form `never`: Do not include query help for any queries. -This option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret). +This option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret). Available since `v2.15.2`. @@ -182,7 +182,7 @@ Available since `v2.18.1`. \[SARIF formats only] Place the rule object for each query under its corresponding QL pack in the `.tool.extensions` property. This -option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret). +option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret). #### `--[no-]sarif-multicause-markdown` @@ -317,7 +317,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -340,7 +340,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle.md index 2fc3129c414d..adbe27c8af5d 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle.md @@ -79,6 +79,13 @@ Available since `v2.13.3`. Include an uncompressed version of the source archive directory. This is necessary for legacy CodeQL plugins (like CodeQL for Eclipse). +#### `--include=` + +\[Advanced] Additional paths relative to the database directory to +include in the bundle. + +Available since `v2.24.0`. + #### `--name=` The name of the top-level directory in the bundle. If not given, it diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create.md index 94b60ed3040e..3cc94fba5cae 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create.md @@ -74,7 +74,7 @@ delete the entire database directory. on how to create the CodeQL databases and what queries to run in later steps. For more details on the format of this configuration file, refer to [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). To run queries from -this file in a later step, invoke [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) without any other queries specified. +this file in a later step, invoke [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) without any other queries specified. #### `--[no-]db-cluster` @@ -86,7 +86,7 @@ directory given on the command line. The language that the new database will be used to analyze. -Use [codeql resolve languages](/code-security/codeql-cli/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path. +Use [codeql resolve languages](/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path. When the `--db-cluster` option is given, this can appear multiple times, or the value can be a comma-separated list of languages. @@ -173,7 +173,7 @@ will be left unfinalized. #### `--[no-]linkage-aware-import` -\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation +\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation consumes too much memory, disabling this option may help them progress at the expense of database completeness. @@ -349,10 +349,10 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed after extractor options given via `--extractor-options-file`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the @@ -375,10 +375,10 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed before extractor options given via `--extractor-option`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics.md index c71934957b18..6f52baf38369 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics.md @@ -47,7 +47,7 @@ Available since `v2.12.6`. #### `` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). If the `--db-cluster` option is given, this is not a database itself, but a directory that _contains_ databases, and all of those databases diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-finalize.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-finalize.md index 459d06dd122a..5c81dba4ae82 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-finalize.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-finalize.md @@ -35,7 +35,7 @@ codeql database finalize [--dbscheme=] [--threads=] [--ram=] ` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). If the `--db-cluster` option is given, this is not a database itself, but a directory that _contains_ databases, and all of those databases @@ -62,7 +62,7 @@ construction. Those databases will be processed together. These will not themselves be finalized, but the data from them will be included in the finalized database being created. This is an advanced option that may not have the desired effect in all cases. For more -information, please refer to the documentation of [codeql database import](/code-security/codeql-cli/codeql-cli-manual/database-import). +information, please refer to the documentation of [codeql database import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-import). If the `--db-cluster` option is given, it is expected that these will be database clusters rather than individual CodeQL databases. @@ -188,7 +188,7 @@ takes up a lot of space in the dataset. #### `--[no-]linkage-aware-import` -\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation +\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation consumes too much memory, disabling this option may help them progress at the expense of database completeness. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-import.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-import.md index c18db27c9ee5..057bd0f790ef 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-import.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-import.md @@ -58,7 +58,7 @@ meaningful. #### `` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). If the `--db-cluster` option is given, this is not a database itself, but a directory that _contains_ databases, and all of those databases @@ -132,7 +132,7 @@ takes up a lot of space in the dataset. #### `--[no-]linkage-aware-import` -\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation +\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation consumes too much memory, disabling this option may help them progress at the expense of database completeness. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-index-files.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-index-files.md index 46294c8d480e..cb2728470c5f 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-index-files.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-index-files.md @@ -57,7 +57,7 @@ patterns, which can use the following wildcard characters: #### `` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). #### `-l, --language=` @@ -82,7 +82,7 @@ set, the environment variable value takes precedence over this option. \[Advanced] The directory in which the specified command should be executed. If this argument is not provided, the command is executed in -the value of `--source-root` passed to [codeql database create](/code-security/codeql-cli/codeql-cli-manual/database-create), if one exists. If no `--source-root` argument is provided, the command is executed in the +the value of `--source-root` passed to [codeql database create](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create), if one exists. If no `--source-root` argument is provided, the command is executed in the current working directory. ### Options to control extractor behavior @@ -105,10 +105,10 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed after extractor options given via `--extractor-options-file`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the @@ -131,10 +131,10 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed before extractor options given via `--extractor-option`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init.md index 8d34ad5475e6..dbb4108a38a8 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init.md @@ -37,7 +37,7 @@ codeql database init --source-root= [--language=[,...]] [--gith Create a skeleton structure for a CodeQL database that doesn't have a raw QL dataset yet, but is ready for running extractor steps. After this -command completes, run one or more [codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) commands followed by [codeql database finalize](/code-security/codeql-cli/codeql-cli-manual/database-finalize) to prepare the database for querying. +command completes, run one or more [codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) commands followed by [codeql database finalize](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-finalize) to prepare the database for querying. (Part of what this does is resolve the location of the appropriate language pack and store it in the database metadata, such that it won't @@ -87,7 +87,7 @@ delete the entire database directory. on how to create the CodeQL databases and what queries to run in later steps. For more details on the format of this configuration file, refer to [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). To run queries from -this file in a later step, invoke [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) without any other queries specified. +this file in a later step, invoke [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) without any other queries specified. #### `--[no-]db-cluster` @@ -99,7 +99,7 @@ directory given on the command line. The language that the new database will be used to analyze. -Use [codeql resolve languages](/code-security/codeql-cli/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path. +Use [codeql resolve languages](/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path. When the `--db-cluster` option is given, this can appear multiple times, or the value can be a comma-separated list of languages. @@ -271,7 +271,7 @@ given via `--extractor-options-file`. When passed to codeql database init or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the @@ -297,7 +297,7 @@ given via `--extractor-option`. When passed to codeql database init or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to -[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. +[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired. See for more information on CodeQL extractor options, including how to list the diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results.md index 8ecbcd47ec3c..64357bf339c9 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results.md @@ -39,7 +39,7 @@ codeql database interpret-results --format= --output= [--threads such as SARIF or CSV. The results should have been computed and stored in a CodeQL database -directory using [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries). (Usually you'd want to do these steps together, by using [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze)). +directory using [codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries). (Usually you'd want to do these steps together, by using [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze)). ## Options @@ -54,7 +54,7 @@ directory using [codeql database run-queries](/code-security/codeql-cli/codeql-c Repeat the specification of which queries were executed here. If omitted, the CLI will determine a suitable set of queries using the -same logic as [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries). +same logic as [codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries). (In a future version it ought to be possible to omit this and instead interpret all results that are found in the database. That glorious @@ -114,7 +114,7 @@ all queries. It loads query help for /path/to/query.ql from the /path/to/query.md file. If this flag is not supplied the default behavior is to include help only for custom queries i.e. those in query packs which are not of the form \`codeql/\` @@ -129,7 +129,7 @@ queries i.e. those in query packs which are not of the form `never`: Do not include query help for any queries. -This option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret). +This option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret). Available since `v2.15.2`. @@ -144,7 +144,7 @@ Available since `v2.18.1`. \[SARIF formats only] Place the rule object for each query under its corresponding QL pack in the `.tool.extensions` property. This -option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret). +option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret). #### `--[no-]sarif-multicause-markdown` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-print-baseline.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-print-baseline.md index b94f785ba27c..4ceb25dec6c7 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-print-baseline.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-print-baseline.md @@ -36,7 +36,7 @@ codeql database print-baseline ... -- \[Plumbing] Print a summary of the baseline lines of code seen. This command will print to standard out the baseline lines of code seen -within the source root specified at [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) time for each language present in the database. +within the source root specified at [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) time for each language present in the database. The baseline is an estimate of the non-empty, non-comment lines of code in a database. This count is different from the lines of code counted by @@ -53,7 +53,7 @@ source root. #### `` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). If the `--db-cluster` option is given, this is not a database itself, but a directory that _contains_ databases, and all of those databases diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries.md index d072eafc4345..ee4da6678747 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries.md @@ -38,13 +38,13 @@ codeql database run-queries [--threads=] [--ram=] ... -- ` @@ -182,7 +182,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command.md index 61fabf5eb568..65fe26e6f8ba 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command.md @@ -46,7 +46,7 @@ database. #### `` \[Mandatory] Path to the CodeQL database under construction. This must -have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init). +have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init). If the `--db-cluster` option is given, this is not a database itself, but a directory that _contains_ databases, and all of those databases @@ -114,7 +114,7 @@ cannot be used in conjunction with `--index-traceless-dbs`. \[Advanced] The directory in which the specified command should be executed. If this argument is not provided, the command is executed in -the value of `--source-root` passed to [codeql database create](/code-security/codeql-cli/codeql-cli-manual/database-create), if one exists. If no `--source-root` argument is provided, the command is executed in the +the value of `--source-root` passed to [codeql database create](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create), if one exists. If no `--source-root` argument is provided, the command is executed in the current working directory. #### `--no-run-unnecessary-builds` @@ -145,7 +145,7 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed after extractor options given via `--extractor-options-file`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to codeql database trace-command then the options also need to be passed there if desired. @@ -171,7 +171,7 @@ will use all the values provided, in order. Extractor options specified using this command-line option are processed before extractor options given via `--extractor-option`. -When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be +When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be applied to the indirect tracing environment. If your workflow also makes calls to codeql database trace-command then the options also need to be passed there if desired. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-unbundle.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-unbundle.md index 9e3eae4ace5d..b7dbbb59f763 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-unbundle.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-unbundle.md @@ -35,7 +35,7 @@ codeql database unbundle ... -- Extracts a CodeQL database archive. -This command extracts a CodeQL database archive created by [codeql database bundle](/code-security/codeql-cli/codeql-cli-manual/database-bundle). It is similar to using unzip to extract the database, but performs better in certain scenarios (for instance, unzip is very slow on Windows) and supports additional options such as setting the name of the database extracted. +This command extracts a CodeQL database archive created by [codeql database bundle](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle). It is similar to using unzip to extract the database, but performs better in certain scenarios (for instance, unzip is very slow on Windows) and supports additional options such as setting the name of the database extracted. ## Options diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-upgrade.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-upgrade.md index e42c4e6b37e1..ec2b730963e7 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-upgrade.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-upgrade.md @@ -118,7 +118,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -141,7 +141,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-upgrade.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-upgrade.md index c65b3e470e7c..48a5fce5714a 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-upgrade.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-upgrade.md @@ -36,7 +36,7 @@ codeql dataset upgrade [--threads=] [--ram=] ... -- \[Plumbing] Upgrade a dataset so it is usable by the current tools. This does the same as -[codeql database upgrade](/code-security/codeql-cli/codeql-cli-manual/database-upgrade) but works on a raw dataset rather than an entire database. +[codeql database upgrade](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-upgrade) but works on a raw dataset rather than an entire database. ## Options @@ -114,7 +114,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -137,7 +137,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-language-server.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-language-server.md index b08383402a0a..879e1949eae8 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-language-server.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-language-server.md @@ -50,7 +50,7 @@ and output streams. #### `--search-path=[:...]` -This works like the similar option to [codeql query compile](/code-security/codeql-cli/codeql-cli-manual/query-compile) (q.v.). +This works like the similar option to [codeql query compile](/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile) (q.v.). There are no `--additional-packs` or `--library-path` options, as the corresponding values are provided online by the IDE extension through diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-queries.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-queries.md index de2d5dfc1f46..1d88f51f9aaf 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-queries.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-queries.md @@ -36,7 +36,7 @@ codeql execute queries [--output=] [--threads=] ... \[Plumbing] Run one or more queries against a dataset. This command should not normally be invoked directly. Instead use either -[codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run), which will start codeql execute queries with specific JVM options to tune the performance of the QL evaluator. +[codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run), which will start codeql execute queries with specific JVM options to tune the performance of the QL evaluator. ## Options @@ -142,7 +142,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -165,7 +165,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-query-server2.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-query-server2.md index 7c1e7e74de7f..afce60dc7f19 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-query-server2.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-query-server2.md @@ -67,7 +67,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -90,7 +90,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` @@ -147,7 +147,7 @@ terminal than stderr. Mostly useful for internal testing. #### `--search-path=[:...]` -This works like the similar option to [codeql query compile](/code-security/codeql-cli/codeql-cli-manual/query-compile) (q.v.). +This works like the similar option to [codeql query compile](/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile) (q.v.). There are no `--additional-packs` or `--library-path` options, as the corresponding values are provided per query diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-upgrades.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-upgrades.md index ca818bd1ad94..266d009c4c6c 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-upgrades.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/execute-upgrades.md @@ -117,7 +117,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -140,7 +140,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/generate-overlay-changes.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/generate-overlay-changes.md index 5872b1ce823e..220ff7c9a3bd 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/generate-overlay-changes.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/generate-overlay-changes.md @@ -31,7 +31,7 @@ codeql generate overlay-changes [--source-root=] [--output=] --output= ... #### `-s, --sarif=` \[Mandatory] Path to the SARIF files to use. This should be the output -of [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or +of [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or the appropriate supported format tag for GitHub Enterprise Server instances (see [AUTOTITLE](/enterprise-server@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) for SARIF versions supported by your release). diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results.md index 932290c2a6b8..935b4d4d5a66 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results.md @@ -51,7 +51,7 @@ This token must have the `security_events` scope. #### `-s, --sarif=` \[Mandatory] Path to the SARIF files to use. This should be the output -of [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or +of [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or the appropriate supported format tag for GitHub Enterprise Server instances (see [AUTOTITLE](/enterprise-server@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) for SARIF versions supported by your release). diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile.md index e42f6d1a9911..dc35ac7fe64f 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-compile.md @@ -66,7 +66,7 @@ compilation. the `.ql` source. This is only supposed to be used while preparing a query pack for -distribution (in which case it is used automatically by [codeql pack publish](/code-security/codeql-cli/codeql-cli-manual/pack-publish)). Once the `.qlx` files exist, later commands that execute queries may ignore +distribution (in which case it is used automatically by [codeql pack publish](/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-publish)). Once the `.qlx` files exist, later commands that execute queries may ignore changes to the QL source in favor of the precompiled version. Some rarely used compilation options are incompatible with this and will diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run.md index 905d44d982ba..2c7f1b337002 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run.md @@ -43,12 +43,12 @@ a human-friendly rendering. If you want to do further processing of the results, we strongly recommend using the `--output` option to write the results to a file in an intermediate binary format, which can then be unpacked into various more machine-friendly representations by -[codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode). +[codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode). If your query produces results in a form that can be interpreted as -source-code alerts, you may find [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) a more convenient way to run it. In particular, [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) can produce output in the SARIF format, which can be used with an variety of alert viewers. +source-code alerts, you may find [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) a more convenient way to run it. In particular, [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) can produce output in the SARIF format, which can be used with an variety of alert viewers. -To run multiple queries in parallel, see [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries). +To run multiple queries in parallel, see [codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries). ## Options @@ -97,7 +97,7 @@ timed parts are "RA layers" of the optimized query, but that might change in the future. If no timeout is specified, or is given as 0, no timeout will be set -(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes). +(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes). #### `-j, --threads=` @@ -120,7 +120,7 @@ be discarded after the queries have been executed. #### `--[no-]keep-full-cache` \[Advanced] Don't clean up the disk cache after evaluation completes. -This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway. +This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway. #### `--max-disk-cache=` diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks.md index e046ac97be47..38918d5ef78f 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks.md @@ -35,7 +35,7 @@ codeql resolve qlpacks ... \[Deprecated] Create a list of installed QL packs and their locations. -This command is deprecated. Use the [codeql resolve packs](/code-security/codeql-cli/codeql-cli-manual/resolve-packs) command instead. +This command is deprecated. Use the [codeql resolve packs](/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-packs) command instead. This command creates a list of QL packs that can be resolved given the configured (or given) search path. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-accept.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-accept.md index a80242d5fd57..d71858977b7f 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-accept.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-accept.md @@ -36,7 +36,7 @@ codeql test accept ... -- ... Accept results of failing unit tests. This is a convenience command that renames the `.actual` files left by -[codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run) for failing tests into `.expected`, such that future runs on the tests that give the +[codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run) for failing tests into `.expected`, such that future runs on the tests that give the same output will be considered to pass. What it does can also be achieved by ordinary file manipulation, but you may find its syntax more useful for this special case. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-extract.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-extract.md index f79c9dc82f11..94d867658989 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-extract.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-extract.md @@ -123,7 +123,7 @@ takes up a lot of space in the dataset. #### `--[no-]linkage-aware-import` -\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation +\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation consumes too much memory, disabling this option may help them progress at the expense of database completeness. diff --git a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run.md b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run.md index c0bf71d66cde..70bd433b4726 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run.md @@ -100,7 +100,7 @@ useful for testing extractors. #### `--[no-]check-databases` \[Advanced] Run -[codeql dataset check](/code-security/codeql-cli/codeql-cli-manual/dataset-check) over each test database created and report a failure if it detects inconsistencies. This is useful when testing extractors. If the check is (temporarily!) expected to fail for a particular database, place a `DB-CHECK.expected` file in the test directory. +[codeql dataset check](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-check) over each test database created and report a failure if it detects inconsistencies. This is useful when testing extractors. If the check is (temporarily!) expected to fail for a particular database, place a `DB-CHECK.expected` file in the test directory. #### `--[no-]show-extractor-output` @@ -341,7 +341,7 @@ takes up a lot of space in the dataset. #### `--[no-]linkage-aware-import` -\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation +\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation consumes too much memory, disabling this option may help them progress at the expense of database completeness. From 2b83aa68b30d904558b5fde261cc515d97a686c5 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 26 Jan 2026 04:23:05 -0800 Subject: [PATCH 2/3] Update CodeQL query tables (#59205) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- data/reusables/code-quality/codeql-query-tables/csharp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/code-quality/codeql-query-tables/csharp.md b/data/reusables/code-quality/codeql-query-tables/csharp.md index 7747570114e6..eba44234ce4d 100644 --- a/data/reusables/code-quality/codeql-query-tables/csharp.md +++ b/data/reusables/code-quality/codeql-query-tables/csharp.md @@ -28,9 +28,9 @@ | [Useless assignment to local variable](https://codeql.github.com/codeql-query-help/csharp/cs-useless-assignment-to-local/) | Maintainability | Warning | | [Useless call to GetHashCode()](https://codeql.github.com/codeql-query-help/csharp/cs-useless-gethashcode-call/) | Maintainability | Recommendation | | [A lock is held during a wait](https://codeql.github.com/codeql-query-help/csharp/cs-locked-wait/) | Reliability | Warning | +| [Call to 'System.IO.Path.Combine' may silently drop its earlier arguments](https://codeql.github.com/codeql-query-help/csharp/cs-path-combine/) | Reliability | Recommendation | | [Call to GC.Collect()](https://codeql.github.com/codeql-query-help/csharp/cs-call-to-gc/) | Reliability | Warning | | [Call to ReferenceEquals(...) on value type expressions](https://codeql.github.com/codeql-query-help/csharp/cs-reference-equality-on-valuetypes/) | Reliability | Error | -| [Call to System.IO.Path.Combine](https://codeql.github.com/codeql-query-help/csharp/cs-path-combine/) | Reliability | Recommendation | | [Calls to unmanaged code](https://codeql.github.com/codeql-query-help/csharp/cs-call-to-unmanaged-code/) | Reliability | Recommendation | | [Cast of 'this' to a type parameter](https://codeql.github.com/codeql-query-help/csharp/cs-cast-of-this-to-type-parameter/) | Reliability | Recommendation | | [Character passed to StringBuilder constructor](https://codeql.github.com/codeql-query-help/csharp/cs-stringbuilder-initialized-with-character/) | Reliability | Error | From 0be0c6d98fead1b4a5932734b7c16d418692f7ad Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Mon, 26 Jan 2026 15:04:46 +0000 Subject: [PATCH 3/3] [EDI] Using code scanning with your existing CI system (#59307) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../concepts/code-scanning/setup-types.md | 23 +++++++++++++------ ...e-scanning-with-your-existing-ci-system.md | 8 ------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/content/code-security/concepts/code-scanning/setup-types.md b/content/code-security/concepts/code-scanning/setup-types.md index 8933b15ed48c..e7eb4d88966b 100644 --- a/content/code-security/concepts/code-scanning/setup-types.md +++ b/content/code-security/concepts/code-scanning/setup-types.md @@ -1,7 +1,7 @@ --- title: About setup types for code scanning shortTitle: Setup types -intro: Depending on your needs, {% data variables.product.github %} offers a default or advanced setup for code scanning. +intro: Depending on your needs, {% data variables.product.github %} offers a default or advanced setup for {% data variables.product.prodname_code_scanning %}. topics: - Code Security - Code scanning @@ -14,7 +14,7 @@ contentType: concepts ## About default setup -Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in your repository will be scanned: +Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in your repository will be scanned using {% data variables.product.prodname_codeql %}: * On each push to the repository's default branch, or any protected branch. For more information on protected branches, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). * When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks. @@ -46,16 +46,25 @@ Unless you have a specific use case, we recommend that you only assign runners w ## About advanced setup -Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. +Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. You can set up {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_actions %} or an external continuous integration or continuous delivery/deployment (CI/CD) system. -{% ifversion fpt or ghec %} -You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools. +{% data reusables.code-scanning.about-multiple-configurations-link %} + +### With {% data variables.product.prodname_actions %} -{% else %} +By creating and editing a {% data variables.product.prodname_actions %} workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. + +{% ifversion ghes %} Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions). {% endif %} -{% data reusables.code-scanning.about-multiple-configurations-link %} +### With a third-party CI/CD system + +As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.github %} using {% data variables.product.prodname_actions %}, you can analyze code in an external CI/CD system, then upload the results to {% data variables.product.github %}. + +The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli) and [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). + +Alerts for {% data variables.product.prodname_code_scanning %} that you generate externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you generate within {% data variables.product.github %}. ## Next steps diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/using-code-scanning-with-your-existing-ci-system.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/using-code-scanning-with-your-existing-ci-system.md index 14e1da0772e9..55cfbf228436 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/using-code-scanning-with-your-existing-ci-system.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/using-code-scanning-with-your-existing-ci-system.md @@ -27,16 +27,8 @@ contentType: how-tos {% data reusables.code-scanning.enterprise-enable-code-scanning %} -## About using {% data variables.product.prodname_code_scanning %} with your existing CI system - As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.github %} using {% data variables.product.prodname_actions %}, you can analyze code in an external continuous integration or continuous delivery/deployment (CI/CD) system, then upload the results to {% data variables.product.github %}. -You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information about the supported SARIF format, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). - -The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli). - -Alerts for {% data variables.product.prodname_code_scanning %} that you generate externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you generate within {% data variables.product.github %}. {% data reusables.code-scanning.about-multiple-configurations-link %} - {% data reusables.code-scanning.upload-sarif-ghas %} ## Setting up your analysis tool