From 3ddc28ec05faf843288de152524e2fbcfd0256a0 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:34:27 +0000 Subject: [PATCH 1/4] [EDI] Advanced setup of the CodeQL CLI (#59983) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> --- .../codeql/about-the-codeql-cli.md | 17 ++- .../advanced-setup-of-the-codeql-cli.md | 117 ------------------ .../check-out-source-code.md | 76 ++++++++++++ .../download-databases.md | 43 +++++++ .../scan-from-the-command-line/index.md | 3 +- .../setting-up-the-codeql-cli.md | 2 +- 6 files changed, 135 insertions(+), 123 deletions(-) delete mode 100644 content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md create mode 100644 content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/check-out-source-code.md create mode 100644 content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/download-databases.md diff --git a/content/code-security/concepts/code-scanning/codeql/about-the-codeql-cli.md b/content/code-security/concepts/code-scanning/codeql/about-the-codeql-cli.md index ba666e4b9877..0b79eaa71288 100644 --- a/content/code-security/concepts/code-scanning/codeql/about-the-codeql-cli.md +++ b/content/code-security/concepts/code-scanning/codeql/about-the-codeql-cli.md @@ -24,6 +24,8 @@ redirect_from: - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system - /code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli + - /code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli + - /code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli contentType: concepts --- @@ -45,9 +47,6 @@ The {% data variables.product.prodname_codeql_cli %} can analyze: * Compiled languages, for example, {% data variables.code-scanning.compiled_languages %} * Codebases written in a mixture of languages. -For information about setting up the {% data variables.product.prodname_codeql_cli %}, see -[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). - ## About using the {% data variables.product.prodname_codeql_cli %} for {% data variables.product.prodname_code_scanning %} You can use the {% data variables.product.prodname_codeql_cli %} to run {% data variables.product.prodname_code_scanning %} on code that you're processing in a third-party continuous integration (CI) system. {% data reusables.code-scanning.about-code-scanning %} For an overview of using code scanning with external CI systems, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). @@ -60,7 +59,7 @@ For an overview of all the options for using {% data variables.product.prodname_ ## About generating code scanning results with the {% data variables.product.prodname_codeql_cli %} -If you choose to run the {% data variables.product.prodname_codeql_cli %} directly, you first have to install the {% data variables.product.prodname_codeql_cli %} locally. If you are planning to use the {% data variables.product.prodname_codeql_cli %} with an external CI system, you need to make the {% data variables.product.prodname_codeql_cli %} available to servers in your CI system. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). +If you choose to run the {% data variables.product.prodname_codeql_cli %} directly, you first have to install the {% data variables.product.prodname_codeql_cli %} locally. If you are planning to use the {% data variables.product.prodname_codeql_cli %} with an external CI system, you need to make the {% data variables.product.prodname_codeql_cli %} available to servers in your CI system. Once the {% data variables.product.prodname_codeql_cli %} is set up, you can use three different commands to generate results and upload them to {% data variables.product.github %}: @@ -115,3 +114,13 @@ codeql github upload-results \ The {% data variables.product.prodname_codeql_cli %} uses special programs, called extractors, to extract information from the source code of a software system into a database that can be queried. You can customize the behavior of extractors by setting extractor configuration options through the {% data variables.product.prodname_codeql_cli %}. See [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli/extractor-options). {% data reusables.code-scanning.codeql-license %} + +## Getting started + +For the simplest way to get started, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). + +More advanced setup options are available if you need them. For example, if you: + +* Want to contribute to open source shared {% data variables.product.prodname_codeql %} queries and prefer working with the {% data variables.product.prodname_codeql %} source code directly. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/check-out-source-code). +* Need to install multiple versions of the {% data variables.product.prodname_codeql_cli %} side by side. For example, if one codebase requires a specific version while another uses the latest. You can download each version and unpack both CLI archives in the same parent directory. +* Are researching or developing queries and want to download databases from {% data variables.product.prodname_dotcom_the_website %}. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/download-databases). diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md deleted file mode 100644 index 73adb232f206..000000000000 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Advanced setup of the CodeQL CLI -intro: You can modify your {% data variables.product.prodname_codeql_cli %} setup to use a local checkout of the {% data variables.product.prodname_codeql %} repository for analysis, set up multiple versions of the {% data variables.product.prodname_codeql_cli %}, and analyze databases you have downloaded from {% data variables.product.github %}. -product: '{% data reusables.gated-features.codeql %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -topics: - - Code Security - - Code scanning - - CodeQL -redirect_from: - - /code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli -contentType: how-tos ---- - -## About advanced setup of the {% data variables.product.prodname_codeql_cli %} - -If you plan to use {% data variables.product.prodname_codeql %} for more than just code scanning, you may prefer an advanced setup of the {% data variables.product.prodname_codeql_cli %}. - -* If you want to contribute to open source shared {% data variables.product.prodname_codeql %} queries, you may prefer working with the {% data variables.product.prodname_codeql %} source code directly. -* If you want to use the latest {% data variables.product.prodname_codeql %} features to generate code scanning alerts for a codebase, but also want to analyze another codebase that is only compatible with a specific version of the {% data variables.product.prodname_codeql_cli %}, you may want to install multiple versions of the {% data variables.product.prodname_codeql_cli %}. -* If you are researching or developing queries, you may want to download interesting or unique databases from {% data variables.product.prodname_dotcom_the_website %}. - -For information on the most simple setup of the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). - -## Checking out the {% data variables.product.prodname_codeql %} source code directly - -Some users prefer working with {% data variables.product.prodname_codeql %} query sources directly in order to work on or contribute to the Open Source shared queries. In order to do this, the following steps are recommended. - -### 1. Download the {% data variables.product.prodname_codeql_cli %} tar archive - -{% data reusables.codeql-cli.download-codeql-cli %} - -### 2. Create a new {% data variables.product.prodname_codeql %} directory - -Create a new directory where you can place the CLI and any queries and libraries -you want to use. For example, `$HOME/codeql-home`. - -The CLI’s built-in search operations automatically look in all of its sibling -directories for the files used in database creation and analysis. Keeping these -components in their own directory prevents the CLI searching unrelated sibling -directories while ensuring all files are available without specifying any -further options on the command line. - -### 3. Obtain a local copy of the {% data variables.product.prodname_codeql %} queries - -The [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql?ref_product=code-scanning&ref_type=engagement&ref_style=text) contains -the queries and libraries required for {% data variables.product.prodname_codeql %} analysis of all supported languages. -Clone a copy of this repository into `codeql-home`. - -By default, the root of the cloned repository will be called `codeql`. -Rename this folder `codeql-repo` to avoid conflicting with the {% data variables.product.prodname_codeql_cli %} that you will extract in step 1. If you use git on the command line, you can -clone and rename the repository in a single step by running -`git clone git@github.com:github/codeql.git codeql-repo` in the `codeql-home` folder. - -Within this repository, the queries and libraries are organized into {% data variables.product.prodname_codeql %} -packs. Along with the queries themselves, {% data variables.product.prodname_codeql %} packs contain important metadata -that tells the {% data variables.product.prodname_codeql_cli %} how to process the query files. For more information, -see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs). - -> [!NOTE] -> There are different versions of the {% data variables.product.prodname_codeql %} queries available for different users. Check out the correct version for your use case: -> -> * For the queries that are intended to be used with the latest {% data variables.product.prodname_codeql_cli %} release, check out the branch tagged `codeql-cli/latest`. You should use this branch for databases you’ve built using the {% data variables.product.prodname_codeql_cli %} or recently downloaded from {% data variables.product.github %}. -> * For the most up to date {% data variables.product.prodname_codeql %} queries, check out the `main` branch. This branch represents the very latest version of {% data variables.product.prodname_codeql %}’s analysis. - -### 4. Extract the {% data variables.product.prodname_codeql_cli %} tar archive - -Extract the tar archive into the directory you created in step 2. - -For example, if the path to your copy of the {% data variables.product.prodname_codeql %} repository is `$HOME/codeql-home/codeql-repo`, then extract the CLI into -`$HOME/codeql-home/`. - -### 5. Launch `codeql` - -{% data reusables.codeql-cli.launch-codeql %} - -### 6. Verify your {% data variables.product.prodname_codeql_cli %} setup - -{% data variables.product.prodname_codeql_cli %} has subcommands you can execute to verify that you are correctly set up to create and analyze databases: - -* Run `codeql resolve languages` to show which languages are available for database creation. This will list the languages supported by default in your {% data variables.product.prodname_codeql_cli %} package. -* Run `codeql resolve qlpacks` to show which {% data variables.product.prodname_codeql %} packs the CLI can find. This will display the names of all the {% data variables.product.prodname_codeql %} packs directly available to the {% data variables.product.prodname_codeql_cli %}. This should include: -* Query packs for each supported language, for example, `codeql/{language}-queries`. These packs contain the standard queries that will be run for each analysis. -* Library packs for each supported language, for example, `codeql/{language}-all`. These packs contain query libraries, such as control flow and data flow libraries, that may be useful to query writers. -* Example packs for each supported language, for example, `codeql/{language}-examples`. These packs contain useful snippets of {% data variables.product.prodname_codeql %} that query writers may find useful. -* Legacy packs that ensure custom queries and libraries created using older products are compatible with your version of {% data variables.product.prodname_codeql %}. - -## Using two versions of the {% data variables.product.prodname_codeql_cli %} - -If you want to use the latest {% data variables.product.prodname_codeql %} features to execute queries or {% data variables.product.prodname_codeql %} tests, but also want to prepare databases that are compatible with a specific version of {% data variables.product.prodname_codeql %} code scanning on {% data variables.product.prodname_ghe_server %}, you may need to install two versions of the CLI. You can download the versions of the {% data variables.product.prodname_codeql_cli %} that you want, and unpack both CLI archives in the same parent directory. - -## Downloading databases from {% data variables.product.prodname_dotcom_the_website %} - -{% data variables.product.github %} stores {% data variables.product.prodname_codeql %} databases for over 200,000 repositories on {% data variables.product.prodname_dotcom_the_website %}, which you can download using the REST API. The list of repositories is constantly growing and evolving to make sure that it includes the most interesting codebases for security research. - -You can also analyze databases from {% data variables.product.prodname_dotcom_the_website %} using the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries). - -You can check if a repository has any {% data variables.product.prodname_codeql %} databases available for download using the `/repos///code-scanning/codeql/databases` endpoint. For example, to check for {% data variables.product.prodname_codeql %} databases using the [{% data variables.product.prodname_cli %}](https://cli.github.com/manual/gh_api) you would run: - -```shell -gh api /repos///code-scanning/codeql/databases -``` - -This command returns information about any {% data variables.product.prodname_codeql %} databases that are available for a repository, including the language the database represents, and when the database was last updated. If no {% data variables.product.prodname_codeql %} databases are available, the response is empty. - -When you have confirmed that a {% data variables.product.prodname_codeql %} database exists for the language you are interested in, you can download it using the following command: - -```shell -gh api /repos///code-scanning/codeql/databases/ -H 'Accept: application/zip' > path/to/local/database.zip -``` - -For more information, see the documentation for the [Get {% data variables.product.prodname_codeql %} database endpoint](/rest/code-scanning/code-scanning#get-a-codeql-database-for-a-repository). - -Before running an analysis with the {% data variables.product.prodname_codeql_cli %}, you must unzip the databases. diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/check-out-source-code.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/check-out-source-code.md new file mode 100644 index 000000000000..35fc5645a8ec --- /dev/null +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/check-out-source-code.md @@ -0,0 +1,76 @@ +--- +title: Checking out the CodeQL CLI source code +intro: Set up the {% data variables.product.prodname_codeql_cli %} directly from the source code. +product: '{% data reusables.gated-features.codeql %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Code Security + - Code scanning + - CodeQL +contentType: how-tos +shortTitle: Check out source code +--- + +Some users prefer working with {% data variables.product.prodname_codeql %} query sources directly in order to work on or contribute to open source shared queries. + +## 1. Download the {% data variables.product.prodname_codeql_cli %} tar archive + +{% data reusables.codeql-cli.download-codeql-cli %} + +## 2. Create a new {% data variables.product.prodname_codeql %} directory + +Create a new directory where you can place the CLI and any queries and libraries +you want to use. For example, `$HOME/codeql-home`. + +The CLI’s built-in search operations automatically look in all of its sibling +directories for the files used in database creation and analysis. Keeping these +components in their own directory prevents the CLI searching unrelated sibling +directories while ensuring all files are available without specifying any +further options on the command line. + +## 3. Obtain a local copy of the {% data variables.product.prodname_codeql %} queries + +The [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql?ref_product=code-scanning&ref_type=engagement&ref_style=text) contains +the queries and libraries required for {% data variables.product.prodname_codeql %} analysis of all supported languages. +Clone a copy of this repository into `codeql-home`. + +By default, the root of the cloned repository will be called `codeql`. +Rename this folder `codeql-repo` to avoid conflicting with the {% data variables.product.prodname_codeql_cli %} that you will extract in step 1. If you use git on the command line, you can +clone and rename the repository in a single step by running +`git clone git@github.com:github/codeql.git codeql-repo` in the `codeql-home` folder. + +Within this repository, the queries and libraries are organized into {% data variables.product.prodname_codeql %} +packs. Along with the queries themselves, {% data variables.product.prodname_codeql %} packs contain important metadata +that tells the {% data variables.product.prodname_codeql_cli %} how to process the query files. For more information, +see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs). + +> [!NOTE] +> There are different versions of the {% data variables.product.prodname_codeql %} queries available for different users. Check out the correct version for your use case: +> +> * For the queries that are intended to be used with the latest {% data variables.product.prodname_codeql_cli %} release, check out the branch tagged `codeql-cli/latest`. You should use this branch for databases you’ve built using the {% data variables.product.prodname_codeql_cli %} or recently downloaded from {% data variables.product.github %}. +> * For the most up to date {% data variables.product.prodname_codeql %} queries, check out the `main` branch. This branch represents the very latest version of {% data variables.product.prodname_codeql %}’s analysis. + +## 4. Extract the {% data variables.product.prodname_codeql_cli %} tar archive + +Extract the tar archive into the directory you created in step 2. + +For example, if the path to your copy of the {% data variables.product.prodname_codeql %} repository is `$HOME/codeql-home/codeql-repo`, then extract the CLI into +`$HOME/codeql-home/`. + +## 5. Launch `codeql` + +{% data reusables.codeql-cli.launch-codeql %} + +## 6. Verify your {% data variables.product.prodname_codeql_cli %} setup + +{% data variables.product.prodname_codeql_cli %} has subcommands you can execute to verify that you are correctly set up to create and analyze databases: + +* Run `codeql resolve languages` to show which languages are available for database creation. This will list the languages supported by default in your {% data variables.product.prodname_codeql_cli %} package. +* Run `codeql resolve qlpacks` to show which {% data variables.product.prodname_codeql %} packs the CLI can find. This will display the names of all the {% data variables.product.prodname_codeql %} packs directly available to the {% data variables.product.prodname_codeql_cli %}. This should include: + * Query packs for each supported language, for example, `codeql/{language}-queries`. These packs contain the standard queries that will be run for each analysis. + * Library packs for each supported language, for example, `codeql/{language}-all`. These packs contain query libraries, such as control flow and data flow libraries, that may be useful to query writers. + * Example packs for each supported language, for example, `codeql/{language}-examples`. These packs contain useful snippets of {% data variables.product.prodname_codeql %} that query writers may find useful. + * Legacy packs that ensure custom queries and libraries created using older products are compatible with your version of {% data variables.product.prodname_codeql %}. diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/download-databases.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/download-databases.md new file mode 100644 index 000000000000..e4f00873698b --- /dev/null +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/download-databases.md @@ -0,0 +1,43 @@ +--- +title: Downloading CodeQL databases from GitHub +intro: Expand the coverage of the {% data variables.product.prodname_codeql_cli %} by adding ready-made databases. +shortTitle: Download databases +product: '{% data reusables.gated-features.codeql %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Code Security + - Code scanning + - CodeQL +contentType: how-tos +--- + +{% data variables.product.github %} stores {% data variables.product.prodname_codeql %} databases for over 200,000 repositories on {% data variables.product.prodname_dotcom_the_website %}, which you can download using the REST API. The list of repositories is constantly growing and evolving to make sure that it includes the most interesting codebases for security research. + +## Searching for databases + +You can check if a repository has any {% data variables.product.prodname_codeql %} databases available for download using the `/repos/OWNER/REPOSITORY/code-scanning/codeql/databases` endpoint. To check for {% data variables.product.prodname_codeql %} databases using the [{% data variables.product.prodname_cli %}](https://cli.github.com/manual/gh_api), run: + +```shell +gh api /repos/OWNER/REPOSITORY/code-scanning/codeql/databases +``` + +This command returns information about any {% data variables.product.prodname_codeql %} databases that are available for a repository, including the language the database represents, and when the database was last updated. If no {% data variables.product.prodname_codeql %} databases are available, the response is empty. + +## Downloading a database + +When you have confirmed that a {% data variables.product.prodname_codeql %} database exists for the language you are interested in, you can download it using the following command: + +```shell +gh api /repos/OWNER/REPOSITORY/code-scanning/codeql/databases/LANGUAGE -H 'Accept: application/zip' > LOCAL-DATABASE-FILE.zip +``` + +For more information, see the documentation for the [Get {% data variables.product.prodname_codeql %} database endpoint](/rest/code-scanning/code-scanning#get-a-codeql-database-for-a-repository). + +Before running an analysis with the {% data variables.product.prodname_codeql_cli %}, you must unzip the databases. + +## Further reading + +You can also analyze databases from {% data variables.product.prodname_dotcom_the_website %} using the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries). diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/index.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/index.md index f1c9e61817e1..d42008b341ed 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/index.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/index.md @@ -12,10 +12,11 @@ topics: - CodeQL children: - /setting-up-the-codeql-cli - - /advanced-setup-of-the-codeql-cli - /writing-and-sharing-custom-queries-for-the-codeql-cli - /testing-custom-queries - /testing-query-help-files + - /download-databases + - /check-out-source-code - /specifying-command-options-in-a-codeql-configuration-file - /creating-database-bundle-for-troubleshooting diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md index e467dd16343a..7587a5eaa37a 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md @@ -29,7 +29,7 @@ To run {% data variables.product.prodname_codeql %} commands, you need to set up The {% data variables.product.prodname_codeql_cli %} supports a range of use cases and directory structures. This article walks through a simple setup that works for most users and environments. -If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may need a more advanced setup. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli). +If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may need a more advanced setup. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/about-the-codeql-cli#getting-started). ### Before you begin From b799dd3583e31527cf1e8d844eb7bf66c128e6c4 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:36:11 +0000 Subject: [PATCH 2/4] Update 3.18 release notes to include command for raising projects limit (#59949) --- data/release-notes/enterprise-server/3-18/0.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/data/release-notes/enterprise-server/3-18/0.yml b/data/release-notes/enterprise-server/3-18/0.yml index 5795fc0af753..e4c25478fd95 100644 --- a/data/release-notes/enterprise-server/3-18/0.yml +++ b/data/release-notes/enterprise-server/3-18/0.yml @@ -17,7 +17,19 @@ sections: Operators use OpenTelemetry metrics to monitor the appliance. This feature is currently in public preview and should only be used in preproduction environments. You can also export Prometheus metrics to third-party observability systems. See [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/about-opentelemetry-metrics). # https://github.com/github/releases/issues/6019 - | - Admins can enable a larger item limit on projects, which supports up to 50,000 items. After the upgrade, the `memex-project-items` index will be migrated and an index repair started Once the `memex-project-items` index repair is completed, the new index is automatically promoted to primary and `ENABLE_PROJECTS_INCREASED_LIMITS` can be enabled. If `ENABLE_PROJECTS_INCREASED_LIMITS` is enabled before the index repair is completed, project data will appear to be missing from any partially repaired projects. This problem will resolve itself once the repair completes. + Site administrators can enable a larger limit of **50,000 items** on GitHub Projects, rather than the default limit of 1,200. + + 1. After upgrading your instance to 3.18, wait for the `memex-project-items` index to be migrated and the `memex-project-items` index repair job to complete. + + If you run the following commands before the index repair is completed, project data will appear to be missing from any partially repaired projects. This problem will resolve itself once the repair completes. + + 1. Access the administrative shell and run the following command. + + ``` shell copy + ghe-config app.github.projects-increased-limits-enabled true + ``` + + 1. Apply the configuration with `ghe-config-apply`. This will restart services and may cause a brief interruption for users. - heading: APIs notes: From ee1c0d4933fef8918065c62461ca0f19d3b84938 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:59:46 +0000 Subject: [PATCH 3/4] [EDI] Viewing code scanning logs (#59984) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...ql-code-scanning-for-compiled-languages.md | 4 +- .../scan-from-vs-code}/accessing-logs.md | 24 +---- .../scan-from-vs-code/index.md | 2 + .../giving-org-access-private-registries.md | 2 +- .../how-tos/view-and-interpret-data/index.md | 2 +- .../view-code-scanning-logs.md | 47 +++++++++ .../viewing-code-scanning-logs.md | 97 ------------------- .../code-scanning/code-scanning-logs.md | 66 +++++++++++++ .../codeql/codeql-for-vs-code/index.md | 2 +- .../reference/code-scanning/index.md | 1 + .../logs-not-detailed-enough.md | 6 +- .../unclear-what-triggered-a-workflow.md | 2 +- ...analyzing-your-code-with-codeql-queries.md | 2 +- 13 files changed, 129 insertions(+), 128 deletions(-) rename content/code-security/{reference/code-scanning/codeql/codeql-for-vs-code => how-tos/scan-code-for-vulnerabilities/scan-from-vs-code}/accessing-logs.md (54%) create mode 100644 content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md delete mode 100644 content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md create mode 100644 content/code-security/reference/code-scanning/code-scanning-logs.md diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md index 8318b50bac1c..d856fd40178d 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md @@ -333,7 +333,7 @@ When you enable default setup for a repository that contains C# code, the build {% data variables.product.prodname_codeql %} restores dependencies and generates a few additional source files, to give more accurate results, before creating a database from all the source files and dependencies. -Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %} +Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %} The following generated source files are optional, but significantly increase the correctness of the {% data variables.product.prodname_codeql %} database: @@ -464,7 +464,7 @@ If you later add Kotlin code to a repository that uses the `none` build mode, {% {% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java). - {% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %} +{% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs##diagnostic-information-for-private-package-registries).{% endif %} #### Accuracy of no build analysis for Java diff --git a/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/accessing-logs.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/accessing-logs.md similarity index 54% rename from content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/accessing-logs.md rename to content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/accessing-logs.md index 046e7a53d4e6..9bc57e9b6826 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/accessing-logs.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/accessing-logs.md @@ -1,5 +1,5 @@ --- -title: Accessing logs +title: Accessing logs for {% data variables.product.prodname_codeql %} in {% data variables.product.prodname_vscode %} shortTitle: Access logs versions: fpt: '*' @@ -14,28 +14,10 @@ allowTitleToDifferFromFilename: true redirect_from: - /code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs - /code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-codeql-for-vs-code/accessing-logs -contentType: reference + - /code-security/reference/code-scanning/codeql/codeql-for-vs-code/accessing-logs +contentType: how-tos --- -## About logs - -Progress and error messages are displayed as notifications in the bottom right corner of the {% data variables.product.prodname_vscode %} workspace. These link to more detailed logs and error messages in the "Output" window. - -You can access the following logs: - -* {% data variables.product.prodname_codeql %} Extension - -* {% data variables.product.prodname_codeql %} Language Server - -* {% data variables.product.prodname_codeql %} Query Server - -* {% data variables.product.prodname_codeql %} Tests - -> [!NOTE] -> The {% data variables.product.prodname_codeql %} Language Server log contains more advanced debug logs for {% data variables.product.prodname_codeql %} language maintainers. You should only need these to provide details in a bug report. - -## Accessing logs - 1. In {% data variables.product.prodname_vscode %}, open the "Output" window. 1. Use the dropdown to select the log view you need. For example, "{% data variables.product.prodname_codeql %} Extension Log". diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/index.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/index.md index 61c31ff12443..eb0261613e7e 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/index.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/index.md @@ -27,4 +27,6 @@ children: - /customizing-settings - /setting-up-a-codeql-workspace - /configuring-access-to-the-codeql-cli + - /accessing-logs --- + diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md index bb8411033c58..810581b6106c 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md @@ -61,7 +61,7 @@ When configuring private registries for the first time, you need to disable and For languages supporting private package registries, {% data variables.product.prodname_code_scanning %} default setup will produce information on the {% data variables.code-scanning.tool_status_page %}. This shows you which private registry configurations were available to an analysis, but not whether {% data variables.product.prodname_code_scanning %} default setup was able to successfully download private dependencies from them. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). -Alternatively, you can confirm whether private registries were configured for a {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions logs. See [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries). +Alternatively, you can confirm whether private registries were used successfully by {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions log files, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries). ## {% data variables.product.prodname_code_scanning_caps %} advanced setup access to private registries diff --git a/content/code-security/how-tos/view-and-interpret-data/index.md b/content/code-security/how-tos/view-and-interpret-data/index.md index 3af1e406c342..27fabe9c9b83 100644 --- a/content/code-security/how-tos/view-and-interpret-data/index.md +++ b/content/code-security/how-tos/view-and-interpret-data/index.md @@ -17,7 +17,7 @@ topics: contentType: how-tos children: - /analyze-organization-data - - /viewing-code-scanning-logs + - /view-code-scanning-logs - /viewing-dependabot-job-logs - /view-custom-pattern-metrics - /change-used-by-data diff --git a/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md b/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md new file mode 100644 index 000000000000..ecd7e8ab003c --- /dev/null +++ b/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md @@ -0,0 +1,47 @@ +--- +title: Viewing code scanning logs from GitHub Actions +intro: View the output from a {% data variables.product.prodname_code_scanning %} analysis in {% data variables.product.prodname_actions %}. +permissions: '{% data reusables.permissions.code-scanning-pr-alerts %}' +redirect_from: + - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs + - /code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs + - /code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs +versions: + fpt: '*' + ghes: '*' + ghec: '*' +contentType: how-tos +topics: + - Security +shortTitle: View code scanning logs +--- + +{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %} + +After configuring {% data variables.product.prodname_code_scanning %} using default setup or a custom {% data variables.product.prodname_actions %} workflow, you can watch the output of the actions as they run. For information about logs for other {% data variables.product.prodname_code_scanning %} setups, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs). + +{% data reusables.repositories.actions-tab %} + + You'll see a list that includes an entry for running the {% data variables.product.prodname_code_scanning %} workflow. The text of the entry is the title you gave your commit message. + + ![Screenshot of the "All workflows" page. In the list of workflow runs is a run labeled "Create .github/workflows/codeql.yml."](/assets/images/help/repository/code-scanning-actions-list.png) + +1. Click the entry for the {% data variables.product.prodname_code_scanning %} workflow. + + > [!NOTE] + > If you are looking for the {% data variables.product.prodname_codeql %} workflow run triggered by enabling default setup, the text of the entry is "{% data variables.product.prodname_codeql %}." + +1. Click the job name on the left. For example, **Analyze (LANGUAGE)**. + + ![Screenshot of the log output for the "Analyze (go)" job. In the left sidebar, under the "Jobs" heading, "Analyze (go)" is listed.](/assets/images/help/repository/code-scanning-logging-analyze-action.png) + +1. Review the logging output from the actions in this workflow as they run. + +1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. + +1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). + +## Further reading + +If you're looking for diagnostic information about whether {% data variables.product.prodname_code_scanning %} accessed any private registries, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs). diff --git a/content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md b/content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md deleted file mode 100644 index cd5fdede454c..000000000000 --- a/content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Viewing code scanning logs -intro: You can view the output generated during {% data variables.product.prodname_code_scanning %} analysis in {% data variables.product.github %}. -permissions: '{% data reusables.permissions.code-scanning-pr-alerts %}' -redirect_from: - - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs - - /code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs -versions: - fpt: '*' - ghes: '*' - ghec: '*' -contentType: how-tos -topics: - - Security -shortTitle: View code scanning logs ---- - -{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %} - -## About your {% data variables.product.prodname_code_scanning %} configuration - -You can use a variety of tools to configure {% data variables.product.prodname_code_scanning %} in your repository. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). - -The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). - -## About analysis and diagnostic information - -You can see analysis and diagnostic information for {% data variables.product.prodname_code_scanning %} run using {% data variables.product.prodname_codeql %} analysis on {% data variables.product.prodname_dotcom %}. - -Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). - -Diagnostic information is displayed in the Action workflow logs and consists of summary metrics and extractor diagnostics. For information about accessing {% data variables.product.prodname_code_scanning %} logs on {% data variables.product.prodname_dotcom %}, see [Viewing the logging output from {% data variables.product.prodname_code_scanning %}](#viewing-the-logging-output-from-code-scanning) below. - -If you're using the {% data variables.product.prodname_codeql_cli %} outside {% data variables.product.prodname_dotcom %}, you'll see diagnostic information in the output generated during database analysis. This information is also included in the SARIF results file you upload to {% data variables.product.prodname_dotcom %} with the {% data variables.product.prodname_code_scanning %} results. - -For information about the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#viewing-log-and-diagnostic-information). - -### About summary metrics - -{% data reusables.code-scanning.summary-metrics %} - -### About {% data variables.product.prodname_codeql %} source code extraction diagnostics - -{% data reusables.code-scanning.extractor-diagnostics %} - -You can see more detailed information about {% data variables.product.prodname_codeql %} extractor errors and warnings that occurred during database creation by enabling debug logging. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-are-not-detailed-enough#creating-codeql-debugging-artifacts-by-re-running-jobs-with-debug-logging-enabled). - -## Viewing the logging output from {% data variables.product.prodname_code_scanning %} - -This section applies to {% data variables.product.prodname_code_scanning %} run using {% data variables.product.prodname_actions %} ({% data variables.product.prodname_codeql %} or third-party). - -After configuring {% data variables.product.prodname_code_scanning %} for your repository, you can watch the output of the actions as they run. - -{% data reusables.repositories.actions-tab %} - - You'll see a list that includes an entry for running the {% data variables.product.prodname_code_scanning %} workflow. The text of the entry is the title you gave your commit message. - - ![Screenshot of the "All workflows" page. In the list of workflow runs is a run labeled "Create .github/workflows/codeql.yml."](/assets/images/help/repository/code-scanning-actions-list.png) - -1. Click the entry for the {% data variables.product.prodname_code_scanning %} workflow. - - > [!NOTE] - > If you are looking for the {% data variables.product.prodname_codeql %} workflow run triggered by enabling default setup, the text of the entry is "{% data variables.product.prodname_codeql %}." - -1. Click the job name on the left. For example, **Analyze (LANGUAGE)**. - - ![Screenshot of the log output for the "Analyze (go)" job. In the left sidebar, under the "Jobs" heading, "Analyze (go)" is listed.](/assets/images/help/repository/code-scanning-logging-analyze-action.png) - -1. Review the logging output from the actions in this workflow as they run. - -1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. - -1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). - -{% ifversion org-private-registry %} - -### Diagnostic information for private package registries - -{% data variables.product.prodname_code_scanning_caps %} default setup workflows include a `Setup proxy for registries` step. When you are looking at a workflow run for default setup, you can expand this step to view the corresponding log. This contains information about which private package registry configurations were available to the analysis. Additionally, the log contains some diagnostic information which may help with troubleshooting if the private package registries are not successfully used by {% data variables.product.prodname_code_scanning %} default setup. Look for the following messages: - -* `Using registries_credentials input.` At least one private registry is configured for the organization. This includes configurations for private registry types which are not supported by {% data variables.product.prodname_code_scanning %} default setup. For more details about supported registry types, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries). - -* `Credentials loaded for the following registries:` - * If no list of configurations follows, then no private registry configurations supported by {% data variables.product.prodname_code_scanning %} default setup were found. - * Otherwise, one line for each supported configuration that was successfully loaded is shown. For example, a line containing `Type: nuget_feed; Host: undefined; Url: https://nuget.pkg.github.com/; Username: undefined; Password: true; Token: false` indicates that a private NuGet Feed configuration was loaded. - * The information about the configuration in the log may not match exactly what is configured for the organization in the UI. For example, the log may indicate that a `Password` is set, even though a `Token` is configured in the UI. - -* `Proxy started on 127.0.0.1:49152` The authentication proxy that is used by {% data variables.product.prodname_code_scanning %} default setup to authenticate to the configured private package registries was started successfully. - -* Following this, there may be messages about the outcomes of connection tests which try to reach the configured private package registries through the authentication proxy. This is a best-effort process. If these checks are not successful for some registries, it does not necessarily mean that the relevant configurations are not working. However, if you find that {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries during the analysis, then this may provide some information to help troubleshoot the issue. - -If the output from the `Setup proxy for registries` step is as expected, but {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries, you can obtain additional troubleshooting information. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup). - -For more information about giving {% data variables.product.prodname_code_scanning %} default setup access to private registries, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). - -{% endif %} diff --git a/content/code-security/reference/code-scanning/code-scanning-logs.md b/content/code-security/reference/code-scanning/code-scanning-logs.md new file mode 100644 index 000000000000..1b2563d7cf7c --- /dev/null +++ b/content/code-security/reference/code-scanning/code-scanning-logs.md @@ -0,0 +1,66 @@ +--- +title: Code scanning logs +intro: You can view the output generated during {% data variables.product.prodname_code_scanning %} analysis in {% data variables.product.github %}. +versions: + fpt: '*' + ghes: '*' + ghec: '*' +contentType: reference +topics: + - Security +shortTitle: Code scanning logs +--- + +The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. To access this page, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). + +## Logs on {% data variables.product.github %} + +You can see analysis and diagnostic information for {% data variables.product.prodname_code_scanning %} run using {% data variables.product.prodname_codeql %} analysis on {% data variables.product.prodname_dotcom %}. + +* Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). +* Diagnostic information is displayed in the {% data variables.product.prodname_actions %} workflow logs and consists of summary metrics and extractor diagnostics. To access these logs, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs). + +### Summary metrics + +{% data reusables.code-scanning.summary-metrics %} + +### Source code extraction diagnostics + +{% data reusables.code-scanning.extractor-diagnostics %} + +You can see more detailed information about {% data variables.product.prodname_codeql %} extractor errors and warnings that occurred during database creation by enabling debug logging. See [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-are-not-detailed-enough#creating-codeql-debugging-artifacts-by-re-running-jobs-with-debug-logging-enabled). + +{% ifversion org-private-registry %} + +### Diagnostic information for private package registries + +{% data variables.product.prodname_code_scanning_caps %} default setup workflows include a `Setup proxy for registries` step. When you are looking at a workflow run for default setup, you can expand this step to view the corresponding log. This contains information about which private package registry configurations were available to the analysis. Additionally, the log contains some diagnostic information which may help with troubleshooting if the private package registries are not successfully used by {% data variables.product.prodname_code_scanning %} default setup. Look for the following messages: + +* `Using registries_credentials input.` At least one private registry is configured for the organization. This includes configurations for private registry types which are not supported by {% data variables.product.prodname_code_scanning %} default setup. For more details about supported registry types, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries). + +* `Credentials loaded for the following registries:` + * If no list of configurations follows, then no private registry configurations supported by {% data variables.product.prodname_code_scanning %} default setup were found. + * Otherwise, one line for each supported configuration that was successfully loaded is shown. For example, a line containing `Type: nuget_feed; Host: undefined; Url: https://nuget.pkg.github.com/; Username: undefined; Password: true; Token: false` indicates that a private NuGet Feed configuration was loaded. + * The information about the configuration in the log may not match exactly what is configured for the organization in the UI. For example, the log may indicate that a `Password` is set, even though a `Token` is configured in the UI. + +* `Proxy started on 127.0.0.1:49152` The authentication proxy that is used by {% data variables.product.prodname_code_scanning %} default setup to authenticate to the configured private package registries was started successfully. + +* Following this, there may be messages about the outcomes of connection tests which try to reach the configured private package registries through the authentication proxy. This is a best-effort process. If these checks are not successful for some registries, it does not necessarily mean that the relevant configurations are not working. However, if you find that {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries during the analysis, then this may provide some information to help troubleshoot the issue. + +If the output from the `Setup proxy for registries` step is as expected, but {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries, you can obtain additional troubleshooting information. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup). + +For more information about giving {% data variables.product.prodname_code_scanning %} default setup access to private registries, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). + +{% endif %} + +## Logs for the {% data variables.product.prodname_codeql_cli %} + +If you're using the {% data variables.product.prodname_codeql_cli %} outside {% data variables.product.prodname_dotcom %}, you'll see diagnostic information in the output generated during database analysis. This information is also included in the SARIF results file. + +## Logs in {% data variables.product.prodname_vscode_shortname %} + +Progress and error messages are displayed as notifications in the bottom right corner of the {% data variables.product.prodname_vscode %} workspace. These link to more detailed logs and error messages in the "Output" window. + +You can access separate logs for the {% data variables.product.prodname_codeql %} extension, language server, query Server, or tests. The Language Server log contains more advanced debug logs for {% data variables.product.prodname_codeql %} language maintainers. You should only need these to provide details in a bug report. + +To access these logs, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-vs-code/accessing-logs). diff --git a/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/index.md b/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/index.md index 0df44cc3be46..cc65634d5ce0 100644 --- a/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/index.md +++ b/content/code-security/reference/code-scanning/codeql/codeql-for-vs-code/index.md @@ -14,10 +14,10 @@ topics: contentType: reference children: - /telemetry-in-codeql-for-visual-studio-code - - /accessing-logs - /warning-problem-with-controller-repository redirect_from: - /code-security/codeql-for-vs-code/troubleshooting-codeql-for-visual-studio-code - /code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code - /code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-codeql-for-vs-code --- + diff --git a/content/code-security/reference/code-scanning/index.md b/content/code-security/reference/code-scanning/index.md index 77532e541ee1..8f3e007dc1e4 100644 --- a/content/code-security/reference/code-scanning/index.md +++ b/content/code-security/reference/code-scanning/index.md @@ -17,4 +17,5 @@ children: - sarif-files - codeql - troubleshoot-analysis-errors + - code-scanning-logs --- diff --git a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/logs-not-detailed-enough.md b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/logs-not-detailed-enough.md index 0b91021f933b..b0389c17a428 100644 --- a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/logs-not-detailed-enough.md +++ b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/logs-not-detailed-enough.md @@ -1,7 +1,7 @@ --- title: Logs are not detailed enough shortTitle: Logs not detailed enough -intro: Increase log verbosity and generate debugging artifacts when logs lack diagnostic detail. +intro: Increase log verbosity and generate debugging artifacts when logs lack diagnostic detail. allowTitleToDifferFromFilename: true versions: fpt: '*' @@ -41,7 +41,7 @@ These artifacts will help you debug problems with {% data variables.product.prod ### Creating {% data variables.product.prodname_codeql %} debugging artifacts for {% data variables.product.prodname_codeql %} default setup -You can create {% data variables.product.prodname_codeql %} debugging artifacts by enabling step debug logging (see [Enabling step debug logging](#enabling-step-debug-logging)) and triggering a new {% data variables.product.prodname_codeql %} analysis, for example, by pushing a new commit to a pull request branch. +You can create {% data variables.product.prodname_codeql %} debugging artifacts by enabling step debug logging (see [Enabling step debug logging](#enabling-step-debug-logging)) and triggering a new {% data variables.product.prodname_codeql %} analysis, for example, by pushing a new commit to a pull request branch. {% ifversion org-private-registry %} @@ -72,4 +72,4 @@ You can create {% data variables.product.prodname_codeql %} debugging artifacts #### Using {% data variables.product.prodname_actions %} step debug logging -If you enable {% data variables.product.prodname_actions %} step debug logging, {% data variables.product.prodname_codeql %} will also produce debugging artifacts and upload them as part of the workflow run. For instructions, see [Enabling step debug logging](#enabling-step-debug-logging). +If you enable {% data variables.product.prodname_actions %} step debug logging, {% data variables.product.prodname_codeql %} will also produce debugging artifacts and upload them as part of the workflow run. For instructions, see [Enabling step debug logging](#enabling-step-debug-logging). diff --git a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/unclear-what-triggered-a-workflow.md b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/unclear-what-triggered-a-workflow.md index 069a7ea54a26..8ffc6185c416 100644 --- a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/unclear-what-triggered-a-workflow.md +++ b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/unclear-what-triggered-a-workflow.md @@ -16,4 +16,4 @@ contentType: reference The {% data variables.code-scanning.tool_status_page %} shows you how well {% data variables.product.prodname_code_scanning %} tools are working for a repository, when files in the repository were first scanned and most recently scanned, and when scans are scheduled. For integrated tools like {% data variables.product.prodname_codeql %}, you can also see more detailed information, including a percentage of files scanned and specific error messages. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). -You can also view the logging output from {% data variables.product.prodname_code_scanning %} runs using {% data variables.product.prodname_actions %} ({% data variables.product.prodname_codeql %} or third-party). For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#viewing-the-logging-output-from-code-scanning). +You can also view the logging output from {% data variables.product.prodname_code_scanning %} runs using {% data variables.product.prodname_actions %} ({% data variables.product.prodname_codeql %} or third-party). For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs). diff --git a/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md b/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md index 5a12a1638407..bd3d4d1da9a2 100644 --- a/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md +++ b/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md @@ -290,7 +290,7 @@ Results files can be integrated into your own code-review or debugging infrastru When you analyze a {% data variables.product.prodname_codeql %} database using a {% data variables.product.prodname_code_scanning %} query suite, in addition to generating detailed information about alerts, the CLI reports diagnostic data from the database generation step and summary metrics. If you choose to generate SARIF output, the additional data is also included in the SARIF file. For repositories with few alerts, you may find this information useful for determining if there are genuinely few problems in the code, or if there were errors generating the {% data variables.product.prodname_codeql %} database. For more detailed output from `codeql database analyze`, use the `--verbose` option. -For more information about the type of diagnostic information available, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#about-analysis-and-diagnostic-information). +For more information about the type of diagnostic information available, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs). You can choose to export and upload diagnostic information to {% data variables.product.github %} even if a {% data variables.product.prodname_codeql %} analysis fails. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-diagnostic-information-to-github-if-the-analysis-fails). From f7183984611cfeac3354830c63d82ed0f9fbedb2 Mon Sep 17 00:00:00 2001 From: Kathleen <36471738+kathleenqin@users.noreply.github.com> Date: Wed, 4 Mar 2026 07:33:05 -0800 Subject: [PATCH 4/4] Clarify metrics does include PR and CLI metrics now (#59950) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../concepts/copilot-usage-metrics/copilot-metrics.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/copilot/concepts/copilot-usage-metrics/copilot-metrics.md b/content/copilot/concepts/copilot-usage-metrics/copilot-metrics.md index f63bdf1f6e56..a5bc24c84b0f 100644 --- a/content/copilot/concepts/copilot-usage-metrics/copilot-metrics.md +++ b/content/copilot/concepts/copilot-usage-metrics/copilot-metrics.md @@ -35,14 +35,12 @@ Metrics are available through: ## Which usage is included? -The {% data variables.product.prodname_copilot_short %} usage metrics are derived exclusively from telemetry sent by IDEs. In order for an end user to be counted towards these metrics, they **must have telemetry enabled in their IDE**. +The {% data variables.product.prodname_copilot_short %} usage metrics are derived from telemetry across multiple Copilot surfaces. Because many metrics come from IDE telemetry, **end users must have telemetry enabled in their IDE to be included in these metrics**. -This means the data **does not include** activity from other {% data variables.product.prodname_copilot_short %} surfaces, such as: +The data **does not include** activity from other {% data variables.product.prodname_copilot_short %} surfaces, such as: * {% data variables.copilot.copilot_chat_short %} on {% data variables.product.prodname_dotcom_the_website %} * {% data variables.product.prodname_mobile %} -* {% data variables.copilot.copilot_code-review_short %} -* {% data variables.copilot.copilot_cli_short %} License and seat management data are not included in {% data variables.product.prodname_copilot_short %} usage metrics reports. To view or manage license assignments, use the {% data variables.product.prodname_copilot_short %} user management API, which is the source of truth for license and seat information. See [AUTOTITLE](/rest/copilot/copilot-user-management).