### Example of showing help information Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example displays the help text for the `codeql resolve qlpacks` command, detailing all available options. ```shell codeql resolve qlpacks --help ``` -------------------------------- ### Enable dependency caching for CodeQL Source: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages This example shows how to enable dependency caching for the CodeQL action in an advanced setup workflow. ```yaml # Initializes CodeQL with dependency caching enabled - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: java dependency-caching: true ``` -------------------------------- ### Create ARC Setup Directory and Script Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc Creates a directory for ARC setup and an executable shell script to install ARC. ```bash mkdir ARC touch helm_install_arc.sh chmod 755 helm_install_arc.sh ``` -------------------------------- ### Example qlpack.yml Dependencies Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs This example shows the `dependencies` section in a `qlpack.yml` file, defining version ranges for direct dependencies. ```yaml dependencies: codeql/cpp-all: ^0.1.2 my-user/my-lib: ^0.2.3 other-dependency/from-source: "*" ``` -------------------------------- ### Example of using --search-path Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example demonstrates how to use the `--search-path` option to specify directories where QL packs can be found. The order of directories defines precedence. ```shell codeql resolve qlpacks --search-path=~/my-qlpacks ``` -------------------------------- ### Example of specifying QL pack kind Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example demonstrates how to filter the results to only include query packs using the `--kind` option. ```shell codeql resolve qlpacks --kind=query ``` -------------------------------- ### Install CodeQL Pack Dependencies with Search Path Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install Installs dependencies, searching for QL packs in the specified directories. The order of directories defines precedence. ```shell codeql pack install --search-path=[:...] ``` -------------------------------- ### Example of passing advanced JVM options Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example shows how to pass advanced options directly to the Java Virtual Machine running the CodeQL CLI command. ```shell codeql resolve qlpacks -J=-Xmx2048m ``` -------------------------------- ### Example of JSON output format Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example shows how to request the output in JSON format using the `--format` option. This can report multiple locations for a pack name if there are conflicting locations. ```shell codeql resolve qlpacks --format=json ``` -------------------------------- ### CodeQL Pack Lock File Example Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces An example `codeql-pack.lock.yml` file generated after running `codeql pack install` within a workspace. It shows resolved external dependencies but omits workspace-provided source dependencies. ```yaml dependencies: codeql/cpp-all: version: 0.2.2 ``` -------------------------------- ### Download and Analyze CodeQL Packs Source: https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs This example demonstrates downloading the latest version of one pack and a specific compatible version of another pack, then running default queries from the first and a specific query from the second. It uses standard input for authentication. ```bash $ echo $OCTO-ORG_ACCESS_TOKEN | codeql database analyze --download /codeql-dbs/example-repo \ octo-org/security-queries \ octo-org/optional-security-queries@~1.0.1:queries/csrf.ql \ --format=sarif-latest --output=/temp/example-repo-js.sarif > Download location: /Users/mona/.codeql/packages > Installed fresh octo-org/security-queries@1.0.0 > Installed fresh octo-org/optional-security-queries@1.0.2 > Running queries. > Compiling query plan for /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql. > [1/2] Found in cache: /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql. > Starting evaluation of octo-org/security-queries/query1.ql. > Compiling query plan for /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql. > [2/2] Found in cache: /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql. > Starting evaluation of octo-org/optional-security-queries/queries/csrf.ql. > [2/2 eval 694ms] Evaluation done; writing results to octo-org/security-queries/query1.bqrs. > Shutting down query evaluator. > Interpreting results. ``` -------------------------------- ### Yarn Berry Private Registry Configuration in yarn.lock Source: https://docs.github.com/en/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries Example of a `yarn.lock` entry showing a private registry URL. Ensure this is present after running `yarn install` with private registry access. ```yaml encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A== dependencies: iconv-lite "^0.6.2" ``` -------------------------------- ### Create CodeQL Databases and Analyze Code Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli This example demonstrates the sequence of commands to create CodeQL databases for multiple languages, analyze them, and upload the results to GitHub. It assumes a build script named 'myBuildScript' is available. ```bash codeql database create codeql-dbs --source-root=src \ --db-cluster --language=java,python --command=./myBuildScript # Analyze the CodeQL database for Java, 'codeql-dbs/java' ``` -------------------------------- ### Example CI Configuration for CodeQL Analysis Source: https://docs.github.com/en/code-security/concepts/code-scanning/codeql/about-the-codeql-cli This example demonstrates the complete sequence of CodeQL CLI commands for analyzing a codebase with Java and Python, and then uploading the results to GitHub. It covers database creation, analysis for each language, and uploading the generated SARIF files. ```shell # Create CodeQL databases for Java and Python in the 'codeql-dbs' directory # Call the normal build script for the codebase: 'myBuildScript' codeql database create codeql-dbs --source-root=src \ --db-cluster --language=java,python --command=./myBuildScript # Analyze the CodeQL database for Java, 'codeql-dbs/java' # Tag the data as 'java' results and store in: 'java-results.sarif' codeql database analyze codeql-dbs/java java-code-scanning.qls \ --format=sarif-latest --sarif-category=java --output=java-results.sarif # Analyze the CodeQL database for Python, 'codeql-dbs/python' # Tag the data as 'python' results and store in: 'python-results.sarif' codeql database analyze codeql-dbs/python python-code-scanning.qls \ --format=sarif-latest --sarif-category=python --output=python-results.sarif # Upload the SARIF file with the Java results: 'java-results.sarif' # The GitHub App or personal access token created for authentication # with GitHub's REST API is available in the `GITHUB_TOKEN` environment variable. codeql github upload-results \ --repository=my-org/example-repo \ --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 \ --sarif=java-results.sarif # Upload the SARIF file with the Python results: 'python-results.sarif' codeql github upload-results \ --repository=my-org/example-repo \ --ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 \ --sarif=python-results.sarif ``` -------------------------------- ### Specify Manifest Directories with Globbing Source: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated Use glob patterns within the `directories` key to specify manifest file locations. This example targets the root directory and any directories starting with `lib-` for Composer dependencies. ```yaml version: 2 updates: - package-ecosystem: "composer" directories: - "/" - "/lib-*" schedule: interval: "weekly" ``` -------------------------------- ### Example of using --additional-packs Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example shows how to use the `--additional-packs` option to specify directories that should be searched for packs before the ones in `--search-path`. This is useful for temporarily developing new versions of packs. ```shell codeql resolve qlpacks --additional-packs=~/my-dev-qlpacks ``` -------------------------------- ### Install CodeQL Pack Dependencies Allowing Pre-release Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install Installs dependencies, including packs with pre-release version qualifiers. ```shell codeql pack install --allow-prerelease ``` -------------------------------- ### Install CodeQL Pack Dependencies with JSON Output Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install Installs dependencies for the CodeQL pack and formats the output as JSON. ```shell codeql pack install --format=json ``` -------------------------------- ### Example custom pattern non-matching Source: https://docs.github.com/en/code-security/reference/secret-security/custom-patterns These examples demonstrate strings that would not match the described custom pattern for an internal token. ```shell a9@AA.! a@AAAAA aa9@AA!ee9 aAAAe9 ``` -------------------------------- ### Show Help for CodeQL Database Bundle Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle Display the help text for the `codeql database bundle` command to see all available options and their descriptions. ```shell codeql database bundle --help ``` -------------------------------- ### Example custom pattern matching Source: https://docs.github.com/en/code-security/reference/secret-security/custom-patterns These examples demonstrate strings that would match the described custom pattern for an internal token. ```shell a9@AAfT! # Secret string match: a9@AAfT ee95GG@ZA942@aa # Secret string match: @ZA942@a a9@AA!ee9 # Secret string match: a9@AA ``` -------------------------------- ### Initialize a CodeQL Pack Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs Use this command to create the directory structure and configuration files for a new CodeQL pack. Specify your scope and desired pack name. ```bash codeql pack init / ``` -------------------------------- ### Add manual build commands with make Source: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages Provides example build commands using 'make' to be used within a 'run' step when manual building is enabled for CodeQL analysis. This allows for custom build processes. ```yaml - run: | make bootstrap make release ``` -------------------------------- ### Example codeql-pack.lock.yml Dependencies Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs This example illustrates the structure of a `codeql-pack.lock.yml` file, which locks specific versions of direct and transitive dependencies. ```yaml dependencies: codeql/cpp-all: version: 0.1.4 my-user/my-lib: version: 0.2.4 my-user/transitive-dependency: version: 1.2.4 ``` -------------------------------- ### Create a Go CodeQL Database with a Custom Build Script Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis Create a Go CodeQL database by specifying a custom build script using the `--command` option. ```bash codeql database create go-database --language=go --command='./scripts/build.sh' ``` -------------------------------- ### Install CodeQL Pack Dependencies with Force Option Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install Installs dependencies for the CodeQL pack, allowing overwriting of already existing packs. ```shell codeql pack install --force ``` -------------------------------- ### Install Actions Runner Controller (ARC) Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc Installs the latest ARC version using Helm, creating a dedicated namespace for its systems. ```bash NAMESPACE="arc-systems" helm install arc \ --namespace "${NAMESPACE}" \ --create-namespace \ oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller ``` -------------------------------- ### Initialize CodeQL Database with Indirect Tracing Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis Use this command to initialize a CodeQL database and begin the indirect build tracing process. Specify the database path and the `--begin-tracing` flag. This command creates scripts to set up the tracing environment. ```bash codeql database init ... --begin-tracing ``` -------------------------------- ### Preview CodeQL Query Help Files as Markdown Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files Use this command to render query help files as Markdown. This helps in validating their structure and content before publishing. ```Shell codeql generate query-help --format=markdown [--output=] ``` -------------------------------- ### Install CodeQL Pack Dependencies with Alternate Lock Output Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install Installs dependencies and specifies an alternate location to save the generated lock file. ```shell codeql pack install --lock-output= ``` -------------------------------- ### Example Query Specifiers Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs Demonstrates various ways to specify CodeQL queries or suites from packs, including version ranges and paths. ```text codeql/python-queries ``` ```text codeql/python-queries@1.2.3 ``` ```text codeql/python-queries@~1.2.3 ``` ```text codeql/python-queries:Functions ``` ```text codeql/python-queries@1.2.3:Functions ``` ```text codeql/python-queries@1.2.3:codeql-suites/python-code-scanning.qls ``` ```text suites/my-suite.qls ``` -------------------------------- ### Example of decreasing verbosity Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example uses the `-q` or `--quiet` option to decrease the number of progress messages printed during command execution. ```shell codeql resolve qlpacks -q ``` -------------------------------- ### Specifying CodeQL query packs and versions Source: https://docs.github.com/en/code-security/tutorials/customize-code-scanning/customizing-analysis-with-codeql-packs Examples of how to reference CodeQL packs, including specific versions and subdirectories or query suite files. ```text codeql/python-queries ``` ```text codeql/python-queries@1.2.3 ``` ```text codeql/python-queries@~1.2.3 ``` ```text codeql/python-queries:Functions ``` ```text codeql/python-queries@1.2.3:Functions ``` ```text codeql/python-queries@1.2.3:codeql-suites/python-code-scanning.qls ``` ```text suites/my-suite.qls ``` -------------------------------- ### Example of increasing verbosity Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks This example uses the `-v` or `--verbose` option to increase the number of progress messages printed during command execution. ```shell codeql resolve qlpacks -v ```