The latest release of the CodeQL CLI supports uploading analysis results to GitHub. This makes it easier to run code analysis for customers who wish to use CI/CD systems other than GitHub Actions. Previously, such users had to use the separate CodeQL Runner, which will continue to be available.
To get started, first download the updated CodeQL bundle, which includes the updated CodeQL CLI, and check out your codebase at the Git reference you want to analyze. After analyzing your codebase with codeql database create ...
and codeql database analyze ...
, you can use the new codeql github upload-results
command to upload the SARIF file with scanning results back to GitHub Code Scanning.
codeql github upload-results
currently works for one language at a time and can replace the current workflow of codeql-runner init / build / codeql-runner analyze
when a single language is being analyzed.
If you want to analyze more than one language at a time or integrate CodeQL as a separate step into your existing CI workflow, you may use CodeQL runner.
The new codeql github upload-results
command is available starting version 2.4.5 of the CodeQL CLI. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.