CodeQL documentation

github upload-results

Synopsis

codeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>...

Description

Uploads a SARIF file to GitHub code scanning.

See: https://docs.github.com/en/code-security/secure-coding/running-codeql-cli-in-your-ci-system#uploading-results-to-github

A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set.

This token must have the security_events scope.

Options

-s, --sarif=<file>

[Mandatory] Path to the SARIF file to upload. This should be the output of codeql database analyze (or codeql database interpret-results) with --format sarif-latest for upload to github.com or GitHub AE, or the appropriate supported format tag for GitHub Enterprise Server instances (see https://docs.github.com/ for the right value for your release).

-r, --repository=<repository-name>

GitHub repository owner and name (e.g., github/octocat) to use as an endpoint for uploading. The CLI will atempt to autodetect this from the checkout path if it is omitted.

-f, --ref=<ref>

Name of the ref that was analyzed. If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.

-c, --commit=<commit>

SHA of commit that was analyzed. If this is omitted the CLI will attempt to autodetect this from the checkout path.

-p, --checkout-path=<path>

Checkout path. Default is the current working directory.

Options to configure where to upload SARIF files.

-a, --github-auth-stdin

Accept a GitHub Apps token or personal access token via standard input.

This overrides the GITHUB_TOKEN environment variable.

-g, --github-url=<url>

URL of the GitHub instance to use. If omitted, the CLI will attempt to autodetect this from the checkout path and if this is not possible default to https://github.com/

Common options

-h, --help

Show this help text.

-J=<opt>

[Advanced] Give option to the JVM running the command.

(Beware that options containing spaces will not be handled correctly.)

-v, --verbose

Incrementally increase the number of progress messages printed.

-q, --quiet

Incrementally decrease the number of progress messages printed.

--verbosity=<level>

[Advanced] Explicitly set the verbosity level to one of errors, warnings, progress, progress+, progress++, progress+++. Overrides -v and -q.

--logdir=<dir>

[Advanced] Write detailed logs to one or more files in the given directory, with generated names that include timestamps and the name of the running subcommand.

(To write a log file with a name you have full control over, instead give --log-to-stderr and redirect stderr as desired.)

  • © GitHub, Inc.
  • Terms
  • Privacy