This PR modifies the action to produce separate SARIF files for code quality queries (as specified as arguments to thequality-queries input) and uploads them to the code quality API. The approach here is that:

We remove the logic fromAdd newquality-queries input #2917 that adds thequality-queries input to the code scanning configuration file that's used when initialising the database.
That means that the quality queries are no longer included in theconfig-queries.qls that's generated by the CLI.
When we calldatabase run-queries, and if quality queries are enabled, we explicitly specifyconfig-queries.qls (which the CLI normally does by default if nothing is specified) + the quality queries.
Since the quality queries are only specified as argument todatabase run-queries, the existing call todatabase interpret-results generates a SARIF that only includes results relating to security queries (i.e.config-queries.qls).
We make an additional call todatabase interpret-results for queries that were specified as arguments to thequality-queries input (if any). This results in SARIF files for those queries.
We then upload them to the CQ API endpoint.

Notes

The changes aim to be as backwards-compatible as possible. That includes:
- SARIF files are output to the same place as before (e.g. as opposed to having separate subdirectories for security and quality SARIFs). SARIF files containing quality results are identified by the.quality.sarif extension.
We don't supportquery-filter options with respect to code quality results.

Merge / deployment checklist

Confirm this change is backwards compatible with existing workflows.
Confirm thereadme has been updated if necessary.
Confirm thechangelog has been updated if necessary.

mbg force-pushed thembg/interpret-cq-results branch 2 times, most recently from87b6687 tofe76653Compare

June 17, 2025 13:37

github-advanced-securitybot found potential problems

Jun 17, 2025

View reviewed changes

src/upload-lib.ts FixedShow fixedHide fixed

mbg added8 commits

June 23, 2025 18:19

Interpret results for quality queries and store as separate SARIF file

3963bf4

Upload both SARIF files inquality-queries check

aba8788

Check SARIF with quality results for expected configuration

3a7544e

Resolvecode-quality alias

320f7b0

Add ability to use different filters infindSarifFilesInDir

22444a6

Upload quality SARIFs to CQ endpoint

45b3bec

Allow the same category once for each type of upload

f183422

FixgetSarifFilePaths not using right filter

6abacdb

mbg force-pushed thembg/interpret-cq-results branch from2bf7322 to24e4f58Compare

June 23, 2025 17:35

Support all default query suites and resolve them

f7fbaa0

mbg force-pushed thembg/interpret-cq-results branch from7e59f77 tof7fbaa0Compare

June 24, 2025 12:09

mbg added4 commits

June 24, 2025 13:24

Add test for modifiedfindSarifFilesInDir

5189159

Add test for modifiedvalidateUniqueCategory

af32bc6

Add test forresolveQuerySuiteAlias

9b9286a

Add some more comments

86f47e8

mbg marked this pull request as ready for review

June 24, 2025 13:08

mbg requested a review froma team as acode owner

June 24, 2025 13:08

mbg requested a review fromCopilot

June 24, 2025 13:09

CopilotAI reviewed

Jun 24, 2025

View reviewed changes

Copy link

Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR enables separate generation and upload of SARIF files for code-quality queries specified via thequality-queries input, in addition to the existing code-scanning SARIF flow.

IntroducesSARIF_UPLOAD_TARGET enum andUploadTarget interface to distinguish code scanning vs. code quality uploads.
Extends file discovery (findSarifFilesInDir,getSarifFilePaths) and upload logic (uploadFiles,uploadPayload,validateUniqueCategory) to filter and handle.quality.sarif files.
Updatesanalyze.ts/analyze-action.ts to produce and upload quality SARIFs whenquality-queries are provided, and adjusts CI workflows to upload/check both SARIF artifacts.

Reviewed Changes

Copilot reviewed 12 out of 17 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/upload-lib.ts	Added enum and targets for separate SARIF uploads, filtering logic for`.quality.sarif`.
src/upload-lib.test.ts	Added tests for filtering`.quality.sarif` files and`validateUniqueCategory` prefix.
src/analyze.ts	Introduced default query suites and`resolveQuerySuiteAlias`; generate quality SARIF.
src/analyze.test.ts	Added tests for`resolveQuerySuiteAlias`.
src/analyze-action.ts	Uploads quality SARIF and sets`quality-sarif-id` output when`quality-queries` present.
pr-checks/checks/quality-queries.yml	CI updates to upload security vs. quality SARIF artifacts and adjust checks.

Comments suppressed due to low confidence (2)

src/upload-lib.ts:427

ThegetSarifFilePaths function bypasses theisSarif filter whensarifPath is a single file. This can lead to uploading unwanted files (e.g., a.quality.sarif when targeting code-scanning). ApplyisSarif to the single-file case or throw if it does not match.

    sarifFiles = [sarifPath];

pr-checks/checks/quality-queries.yml:29

[nitpick] The CI step now only checks config properties in the quality SARIF, omitting the original security SARIF check. Consider adding a separate check for${{ runner.temp }}/results/javascript.sarif to ensure both artifacts are validated.

      SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"

Upload.quality.sarif files to CQ service inupload-sarif action

2c76207

mbg force-pushed thembg/interpret-cq-results branch 2 times, most recently from3393b4e to81969d7Compare

June 25, 2025 13:24

Prototyping adding quality queries when running queries

e382508

mbg force-pushed thembg/interpret-cq-results branch 2 times, most recently from4088317 tob403ba2Compare

June 25, 2025 13:38

Fixconfig-queries.qls location

79049d9

mbg force-pushed thembg/interpret-cq-results branch fromb403ba2 to79049d9Compare

June 25, 2025 13:42

esbena reviewed

Jun 25, 2025

View reviewed changes

Copy link

Contributor

esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nice, and pleasantly surgical.

I think this does the right thing, except for a missing quality.sarif predicate in the very end.

Other than that it's mostly nits, and some concerns about maintenance in the long term. We have already discussed them elsewhere. Perhaps we should update the discussion document with our current choice for query resolution.

src/analyze.ts OutdatedShow resolvedHide resolved

src/analyze.tsShow resolvedHide resolved

src/codeql.tsShow resolvedHide resolved

src/upload-lib.ts OutdatedShow resolvedHide resolved

src/upload-lib.ts

		@@ -567,6 +581,30 @@ export function buildPayload(
		returnpayloadObj;
		}

		// Represents configurations for different services that we can upload SARIF to.
		exportinterfaceUploadTarget{

Copy link

Contributor

esbenaJun 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

regarding the target/endpoint comment above: this is a much better place to call something target. I'd probably preferSarifUploadConfig but that is splitting hairs.

src/upload-lib.tsShow resolvedHide resolved

src/upload-lib.ts

		sentinelPrefix:string;
		}

		// Represents the Code Scanning upload target.

Copy link

Contributor

esbenaJun 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Stray thought. I have seen both line comments and jsdoc comments on your new functions. Is it deliberate that you do not use jsdoc here? If yes, OK.

Copy link

MemberAuthor

mbgJun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think the existing codebase is fairly inconsistent in this regard. I probably just subconsciously mirrored what adjacent definitions do. I'll make this more consistent for my changes.