Skip to content

Display help text for your custom CodeQL queries in code scanning

The latest release of the CodeQL CLI supports including markdown-rendered query help in SARIF files so that the help text can be viewed in the code scanning UI. This functionality is now available for code scanning on and will be available in GitHub Enterprise Server 3.4.

The CodeQL query help text is displayed in the code scanning UI whenever the query generates an alert. The query help explains the problem in more detail, and shows examples of vulnerable and fixed code. Until now, code scanning only displayed the query help for alerts generated by the default CodeQL queries. With the release of CodeQL CLI 2.7.1, the query help for your own custom queries will be uploaded to GitHub and displayed in code scanning.

Example of custom CodeQL query help

Writing query help for custom CodeQL queries

When you write your own queries, we recommend that you write a query help file so that other users can properly understand the impact an alert has on the security of their code. For custom query help in your repository there are no restrictions on the content, but we recommend that you follow the Query help style guide to make the help text as useful as possible.

You should write query help for custom queries in your repository in a markdown file alongside the corresponding query. CodeQL code scanning looks for query help files written in markdown that share the same name as the corresponding query file. For example, if your query file is MyCustomQuery.ql, the query help file should be named

For users of 3rd party CI/CD systems

When using CodeQL with GitHub Actions, the query help will automatically be imported from markdown files that are stored alongside the corresponding custom queries. The query help is inserted into SARIF files generated during the analysis step and made available in the code scanning UI.

If you use a different CI/CD system, you have to add the --sarif-add-query-help flag to the codeql database analyze command to include the query help in your SARIF results files. For more information, see Analyzing databases with the CodeQL CLI.

You can now enjoy a higher per-repository cache size. The cache storage for each repository has doubled to 10GB. This enables Actions users on to run workflows faster by caching even bigger dependencies and other commonly reused files from previous jobs. There is no limit on the number of caches you can store, but the total size of all caches in a repository is now be limited to 10 GB.

Learn more about Caching dependencies to speed up workflows. For questions, visit the GitHub Actions community. To see what’s next for Actions, visit our public roadmap.

See more

Administrators can now allow specific users and teams to bypass pull request requirements.

For context, this image shows how administrators can use branch protections to require pull requests for all changes to a branch:

screenshot of option to protect matching branches

This is a good practice, but you may want to make exceptions to this rule for specific people and teams. For example, if you have an automated process that calls GitHub APIs to make changes in a repository, you may want to permit that automation to make changes without creating a pull request.

Now, when you require pull requests and their related protections for a branch, you can specify people and teams who should be free from those requirements. As shown in the image below, select Allow specific actors to bypass pull request requirements. Then, search for and select the people and teams who should be allowed to bypass the requirements.

Screenshot of option to bypass PR requirements

For more information, visit Managing a branch protection rule.

See more