github upload-results
Uploads a SARIF file to GitHub code scanning.
Who can use this feature?
CodeQL is available for the following repository types:
- Public repositories on GitHub.com, seeGitHub CodeQL Terms and Conditions
- Organization-owned repositories on GitHub Team withGitHub Code Security enabled
In this article
Note
This content describes the most recent release of the CodeQL CLI. For more information about this release, seehttps://github.com/github/codeql-cli-binaries/releases.
To see details of the options available for this command in an earlier release, run the command with the--help option in your terminal.
Synopsis
codeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>...
codeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>...Description
Uploads a SARIF file to GitHub code scanning.
See:Uploading CodeQL analysis results to GitHub
A GitHub Apps token or personal access token must be set. For bestsecurity practices, it is recommended to set the--github-auth-stdinflag and pass the token to the command through standard input.Alternatively, theGITHUB_TOKEN environment variable can be set.
This token must have thesecurity_events scope.
Options
Primary Options
-s, --sarif=<file>
[Mandatory] Path to the SARIF files to use. This should be the outputofcodeql database analyze (orcodeql database interpret-results) with--format sarif-latest for upload to github.com orthe appropriate supported format tag for GitHub Enterprise Serverinstances (seeSARIF support for code scanning forSARIF versions supported by your release).
-r, --repository=<repository-name>
GitHub repository owner and name (e.g.,github/octocat) to use as anendpoint for uploading. The CLI will attempt to autodetect this from thecheckout path if it is omitted.
-f, --ref=<ref>
Name of the ref that was analyzed. If this ref is a pull request mergecommit, then userefs/pull/1234/merge orrefs/pull/1234/head(depending on whether or not this commit corresponds to the HEAD orMERGE commit of the PR). Otherwise, this should be a branch:refs/heads/branch-name. If omitted, the CLI will attempt toautomatically populate this from the current branch of the checkoutpath, if this exists.
-c, --commit=<commit>
SHA of commit that was analyzed. If this is omitted the CLI will attemptto autodetect this from the checkout path.
-p, --checkout-path=<path>
Checkout path. Default is the current working directory.
--merge
[Advanced] Allow more than one SARIF file to be specified, and mergethese into a single file before uploading. This is only recommended forbackwards compatibility. For new analyses it is recommended to uploadtwo separate SARIF files with different categories. This option onlyworks in conjunction with SARIF files produced by CodeQL with SARIFversion 2.1.0 (this is the default version of SARIF used by CodeQL).
--no-wait-for-processing
By default, the CLI will wait for GitHub to process the SARIF file for amaximum of 2 minutes, returning a non-zero exit code if there were anyerrors during processing of the analysis results. You can customize howlong the CLI will wait with--wait-for-processing-timeout, or disablethe feature with--no-wait-for-processing.
--wait-for-processing-timeout=<waitForProcessingTimeout>
The maximum time the CLI will wait for the uploaded SARIF file to beprocessed by GitHub, in seconds. The default is 120 seconds (2 minutes).This option is only valid when--wait-for-processing is enabled.
--format=<fmt>
Select output format. Choices include:
text(default): Print the URL for tracking the status of the SARIFupload.
json: Print the response body of the SARIF upload API request.
See also:REST API endpoints for code scanning
Options to configure where to upload SARIF files.
-a, --github-auth-stdin
Accept a GitHub Apps token or personal access token via standard input.
This overrides the GITHUB_TOKEN environment variable.
-g, --github-url=<url>
URL of the GitHub instance to use. If omitted, the CLI will attempt toautodetect this from the checkout path and if this is not possibledefault tohttps://github.com/
Common options
-h, --help
Show this help text.
-J=<opt>
[Advanced] Give option to the JVM running the command.
(Beware that options containing spaces will not be handled correctly.)
-v, --verbose
Incrementally increase the number of progress messages printed.
-q, --quiet
Incrementally decrease the number of progress messages printed.
--verbosity=<level>
[Advanced] Explicitly set the verbosity level to one of errors,warnings, progress, progress+, progress++, progress+++. Overrides-vand-q.
--logdir=<dir>
[Advanced] Write detailed logs to one or more files in the givendirectory, with generated names that include timestamps and the name ofthe running subcommand.
(To write a log file with a name you have full control over, insteadgive--log-to-stderr and redirect stderr as desired.)
--common-caches=<dir>
[Advanced] Controls the location of cached data on disk that willpersist between several runs of the CLI, such as downloaded QL packs andcompiled query plans. If not set explicitly, this defaults to adirectory named.codeql in the user's home directory; it will becreated if it doesn't already exist.
Available sincev2.15.2.