### Example of showing help information
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example displays the help text for the `codeql resolve qlpacks` command, detailing all available options.
```shell
codeql resolve qlpacks --help
```
--------------------------------
### Enable dependency caching for CodeQL
Source: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
This example shows how to enable dependency caching for the CodeQL action in an advanced setup workflow.
```yaml
# Initializes CodeQL with dependency caching enabled
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: java
dependency-caching: true
```
--------------------------------
### Create ARC Setup Directory and Script
Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc
Creates a directory for ARC setup and an executable shell script to install ARC.
```bash
mkdir ARC
touch helm_install_arc.sh
chmod 755 helm_install_arc.sh
```
--------------------------------
### Example qlpack.yml Dependencies
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs
This example shows the `dependencies` section in a `qlpack.yml` file, defining version ranges for direct dependencies.
```yaml
dependencies:
codeql/cpp-all: ^0.1.2
my-user/my-lib: ^0.2.3
other-dependency/from-source: "*"
```
--------------------------------
### Example of using --search-path
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example demonstrates how to use the `--search-path` option to specify directories where QL packs can be found. The order of directories defines precedence.
```shell
codeql resolve qlpacks --search-path=~/my-qlpacks
```
--------------------------------
### Example of specifying QL pack kind
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example demonstrates how to filter the results to only include query packs using the `--kind` option.
```shell
codeql resolve qlpacks --kind=query
```
--------------------------------
### Install CodeQL Pack Dependencies with Search Path
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install
Installs dependencies, searching for QL packs in the specified directories. The order of directories defines precedence.
```shell
codeql pack install --search-path=
[:...]
```
--------------------------------
### Example of passing advanced JVM options
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example shows how to pass advanced options directly to the Java Virtual Machine running the CodeQL CLI command.
```shell
codeql resolve qlpacks -J=-Xmx2048m
```
--------------------------------
### Example of JSON output format
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example shows how to request the output in JSON format using the `--format` option. This can report multiple locations for a pack name if there are conflicting locations.
```shell
codeql resolve qlpacks --format=json
```
--------------------------------
### CodeQL Pack Lock File Example
Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces
An example `codeql-pack.lock.yml` file generated after running `codeql pack install` within a workspace. It shows resolved external dependencies but omits workspace-provided source dependencies.
```yaml
dependencies:
codeql/cpp-all:
version: 0.2.2
```
--------------------------------
### Download and Analyze CodeQL Packs
Source: https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs
This example demonstrates downloading the latest version of one pack and a specific compatible version of another pack, then running default queries from the first and a specific query from the second. It uses standard input for authentication.
```bash
$ echo $OCTO-ORG_ACCESS_TOKEN | codeql database analyze --download /codeql-dbs/example-repo \
octo-org/security-queries \
octo-org/optional-security-queries@~1.0.1:queries/csrf.ql \
--format=sarif-latest --output=/temp/example-repo-js.sarif
> Download location: /Users/mona/.codeql/packages
> Installed fresh octo-org/security-queries@1.0.0
> Installed fresh octo-org/optional-security-queries@1.0.2
> Running queries.
> Compiling query plan for /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql.
> [1/2] Found in cache: /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql.
> Starting evaluation of octo-org/security-queries/query1.ql.
> Compiling query plan for /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql.
> [2/2] Found in cache: /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql.
> Starting evaluation of octo-org/optional-security-queries/queries/csrf.ql.
> [2/2 eval 694ms] Evaluation done; writing results to octo-org/security-queries/query1.bqrs.
> Shutting down query evaluator.
> Interpreting results.
```
--------------------------------
### Yarn Berry Private Registry Configuration in yarn.lock
Source: https://docs.github.com/en/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries
Example of a `yarn.lock` entry showing a private registry URL. Ensure this is present after running `yarn install` with private registry access.
```yaml
encoding@^0.1.11:
version "0.1.13"
resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
dependencies:
iconv-lite "^0.6.2"
```
--------------------------------
### Create CodeQL Databases and Analyze Code
Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli
This example demonstrates the sequence of commands to create CodeQL databases for multiple languages, analyze them, and upload the results to GitHub. It assumes a build script named 'myBuildScript' is available.
```bash
codeql database create codeql-dbs --source-root=src \
--db-cluster --language=java,python --command=./myBuildScript
# Analyze the CodeQL database for Java, 'codeql-dbs/java'
```
--------------------------------
### Example CI Configuration for CodeQL Analysis
Source: https://docs.github.com/en/code-security/concepts/code-scanning/codeql/about-the-codeql-cli
This example demonstrates the complete sequence of CodeQL CLI commands for analyzing a codebase with Java and Python, and then uploading the results to GitHub. It covers database creation, analysis for each language, and uploading the generated SARIF files.
```shell
# Create CodeQL databases for Java and Python in the 'codeql-dbs' directory
# Call the normal build script for the codebase: 'myBuildScript'
codeql database create codeql-dbs --source-root=src \
--db-cluster --language=java,python --command=./myBuildScript
# Analyze the CodeQL database for Java, 'codeql-dbs/java'
# Tag the data as 'java' results and store in: 'java-results.sarif'
codeql database analyze codeql-dbs/java java-code-scanning.qls \
--format=sarif-latest --sarif-category=java --output=java-results.sarif
# Analyze the CodeQL database for Python, 'codeql-dbs/python'
# Tag the data as 'python' results and store in: 'python-results.sarif'
codeql database analyze codeql-dbs/python python-code-scanning.qls \
--format=sarif-latest --sarif-category=python --output=python-results.sarif
# Upload the SARIF file with the Java results: 'java-results.sarif'
# The GitHub App or personal access token created for authentication
# with GitHub's REST API is available in the `GITHUB_TOKEN` environment variable.
codeql github upload-results \
--repository=my-org/example-repo \
--ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 \
--sarif=java-results.sarif
# Upload the SARIF file with the Python results: 'python-results.sarif'
codeql github upload-results \
--repository=my-org/example-repo \
--ref=refs/heads/main --commit=deb275d2d5fe9a522a0b7bd8b6b6a1c939552718 \
--sarif=python-results.sarif
```
--------------------------------
### Specify Manifest Directories with Globbing
Source: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated
Use glob patterns within the `directories` key to specify manifest file locations. This example targets the root directory and any directories starting with `lib-` for Composer dependencies.
```yaml
version: 2
updates:
- package-ecosystem: "composer"
directories:
- "/"
- "/lib-*"
schedule:
interval: "weekly"
```
--------------------------------
### Example of using --additional-packs
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example shows how to use the `--additional-packs` option to specify directories that should be searched for packs before the ones in `--search-path`. This is useful for temporarily developing new versions of packs.
```shell
codeql resolve qlpacks --additional-packs=~/my-dev-qlpacks
```
--------------------------------
### Install CodeQL Pack Dependencies Allowing Pre-release
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install
Installs dependencies, including packs with pre-release version qualifiers.
```shell
codeql pack install --allow-prerelease
```
--------------------------------
### Install CodeQL Pack Dependencies with JSON Output
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install
Installs dependencies for the CodeQL pack and formats the output as JSON.
```shell
codeql pack install --format=json
```
--------------------------------
### Example custom pattern non-matching
Source: https://docs.github.com/en/code-security/reference/secret-security/custom-patterns
These examples demonstrate strings that would not match the described custom pattern for an internal token.
```shell
a9@AA.!
a@AAAAA
aa9@AA!ee9
aAAAe9
```
--------------------------------
### Show Help for CodeQL Database Bundle
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle
Display the help text for the `codeql database bundle` command to see all available options and their descriptions.
```shell
codeql database bundle --help
```
--------------------------------
### Example custom pattern matching
Source: https://docs.github.com/en/code-security/reference/secret-security/custom-patterns
These examples demonstrate strings that would match the described custom pattern for an internal token.
```shell
a9@AAfT! # Secret string match: a9@AAfT
ee95GG@ZA942@aa # Secret string match: @ZA942@a
a9@AA!ee9 # Secret string match: a9@AA
```
--------------------------------
### Initialize a CodeQL Pack
Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs
Use this command to create the directory structure and configuration files for a new CodeQL pack. Specify your scope and desired pack name.
```bash
codeql pack init /
```
--------------------------------
### Add manual build commands with make
Source: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
Provides example build commands using 'make' to be used within a 'run' step when manual building is enabled for CodeQL analysis. This allows for custom build processes.
```yaml
- run: |
make bootstrap
make release
```
--------------------------------
### Example codeql-pack.lock.yml Dependencies
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs
This example illustrates the structure of a `codeql-pack.lock.yml` file, which locks specific versions of direct and transitive dependencies.
```yaml
dependencies:
codeql/cpp-all:
version: 0.1.4
my-user/my-lib:
version: 0.2.4
my-user/transitive-dependency:
version: 1.2.4
```
--------------------------------
### Create a Go CodeQL Database with a Custom Build Script
Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis
Create a Go CodeQL database by specifying a custom build script using the `--command` option.
```bash
codeql database create go-database --language=go --command='./scripts/build.sh'
```
--------------------------------
### Install CodeQL Pack Dependencies with Force Option
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install
Installs dependencies for the CodeQL pack, allowing overwriting of already existing packs.
```shell
codeql pack install --force
```
--------------------------------
### Install Actions Runner Controller (ARC)
Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc
Installs the latest ARC version using Helm, creating a dedicated namespace for its systems.
```bash
NAMESPACE="arc-systems"
helm install arc \
--namespace "${NAMESPACE}" \
--create-namespace \
oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
```
--------------------------------
### Initialize CodeQL Database with Indirect Tracing
Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis
Use this command to initialize a CodeQL database and begin the indirect build tracing process. Specify the database path and the `--begin-tracing` flag. This command creates scripts to set up the tracing environment.
```bash
codeql database init ... --begin-tracing
```
--------------------------------
### Preview CodeQL Query Help Files as Markdown
Source: https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files
Use this command to render query help files as Markdown. This helps in validating their structure and content before publishing.
```Shell
codeql generate query-help --format=markdown [--output=]
```
--------------------------------
### Install CodeQL Pack Dependencies with Alternate Lock Output
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/pack-install
Installs dependencies and specifies an alternate location to save the generated lock file.
```shell
codeql pack install --lock-output=
```
--------------------------------
### Example Query Specifiers
Source: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs
Demonstrates various ways to specify CodeQL queries or suites from packs, including version ranges and paths.
```text
codeql/python-queries
```
```text
codeql/python-queries@1.2.3
```
```text
codeql/python-queries@~1.2.3
```
```text
codeql/python-queries:Functions
```
```text
codeql/python-queries@1.2.3:Functions
```
```text
codeql/python-queries@1.2.3:codeql-suites/python-code-scanning.qls
```
```text
suites/my-suite.qls
```
--------------------------------
### Example of decreasing verbosity
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example uses the `-q` or `--quiet` option to decrease the number of progress messages printed during command execution.
```shell
codeql resolve qlpacks -q
```
--------------------------------
### Specifying CodeQL query packs and versions
Source: https://docs.github.com/en/code-security/tutorials/customize-code-scanning/customizing-analysis-with-codeql-packs
Examples of how to reference CodeQL packs, including specific versions and subdirectories or query suite files.
```text
codeql/python-queries
```
```text
codeql/python-queries@1.2.3
```
```text
codeql/python-queries@~1.2.3
```
```text
codeql/python-queries:Functions
```
```text
codeql/python-queries@1.2.3:Functions
```
```text
codeql/python-queries@1.2.3:codeql-suites/python-code-scanning.qls
```
```text
suites/my-suite.qls
```
--------------------------------
### Example of increasing verbosity
Source: https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-qlpacks
This example uses the `-v` or `--verbose` option to increase the number of progress messages printed during command execution.
```shell
codeql resolve qlpacks -v
```