CodeQL documentation

github upload-results


codeql github upload-results --repository=<repository-name> --ref=<ref> --commit=<commit> --sarif=<file> [--github-auth-stdin] [--checkout-path=<path>] [--github-url=<url>] <options>...


Uploads a SARIF file to GitHub code scanning.


A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set.

This token must have the security_events scope.


-r, --repository=<repository-name>

[Mandatory] GitHub repository owner and name (e.g., github/octocat) to use as an endpoint for uploading.

-f, --ref=<ref>

[Mandatory] Name of the ref that was analyzed. If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name

-c, --commit=<commit>

[Mandatory] SHA of commit that was analyzed.

-s, --sarif=<file>

[Mandatory] Path to the SARIF file to upload.

-a, --github-auth-stdin

Accept a GitHub Apps token or personal access token via standard input.

This overrides the GITHUB_TOKEN environment variable.

-p, --checkout-path=<path>

Checkout path. Default is the current working directory.

-g, --github-url=<url>

URL of the GitHub instance to upload to. (Default is

Common options

-h, --help

Show this help text.


[Advanced] Give option to the JVM running the command.

(Beware that options containing spaces will not be handled correctly.)

-v, --verbose

Incrementally increase the number of progress messages printed.

-q, --quiet

Incrementally decrease the number of progress messages printed.


[Advanced] Explicitly set the verbosity level to one of errors, warnings, progress, progress+, progress++, progress+++. Overrides -v and -q.


[Advanced] Write detailed logs to one or more files in the given directory, with generated names that include timestamps and the name of the running subcommand.

(To write a log file with a name you have full control over, instead give --log-to-stderr and redirect stderr as desired.)