Conversation
The Code Scanning status check used to be _Code Scanning results_, but it has changed to _CodeQL_. Update the documentation to reflect this change.
📝 WalkthroughWalkthroughA documentation file about code scanning alerts in pull requests was updated to replace dynamic template variables with the literal text "CodeQL" in two locations within the content. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In
`@content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md`:
- Line 31: The statement that the "CodeQL" check must pass is misleading; update
the sentence in the triaging document so it explains that the required status
check name is determined by the GitHub Actions workflow and job names (not a
fixed "CodeQL" label) and that repositories using other scanners or custom SARIF
uploads may show different check names (eg. Trivy, Semgrep, or a custom
workflow); edit the sentence referencing "CodeQL" to say something like "the
required code-scanning check (named according to the repository's Actions
workflow/job, e.g., CodeQL, Trivy, Semgrep, or a custom SARIF upload) must pass"
and keep the existing protected-branches link.
- Line 39: The sentence incorrectly states that the check containing code
scanning results is always "CodeQL"; update the text to clarify that CodeQL
workflows default to the "CodeQL" label but can be renamed via the workflow YAML
(the workflow `name:` and job `name:` fields), whereas SARIF uploads and
third‑party tools use the check name "Code scanning results"; modify the
paragraph to distinguish CodeQL-specific behavior from SARIF/third‑party
behavior and mention both the default "CodeQL" label and the "Code scanning
results" check name.
| In repositories where {% data variables.product.prodname_code_scanning %} is configured as a pull request check, {% data variables.product.prodname_code_scanning %} checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within {% data variables.product.prodname_actions %} or in a third-party CI/CD system. If merging the changes would introduce new {% data variables.product.prodname_code_scanning %} alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the **Files changed** tab of the pull request. If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)." | ||
|
|
||
| If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "{% data variables.product.prodname_code_scanning_capc %} results" check must pass before you can merge the pull request. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)." | ||
| If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "CodeQL" check must pass before you can merge the pull request. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)." |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub code scanning status check name CodeQL third-party SARIF tools documentation
💡 Result:
GitHub doesn’t have a special, fixed “code scanning / CodeQL” required status check name that you can rely on across setups. The “status checks” you can require in branch protection come from the Checks API check runs created by your workflow/jobs, so the name is determined by your GitHub Actions workflow name and job name(s). GitHub even warns to keep job names unique across workflows to avoid ambiguous required status checks. [1]
CodeQL (GitHub Actions)
- Default setup runs as a workflow whose entry in Actions is named “CodeQL”. [2]
- With the standard advanced CodeQL workflow, the PR check typically appears as
<workflow name> / <job name>(for example, workflow nameCodeQLwith job names likeAnalyze (LANGUAGE)).
Third-party SARIF uploads
- The check you can require is likewise the workflow/job that runs your tool and/or uploads SARIF (whatever you named it in YAML). [3]
- The
categoryinput (or auto-generated category) affects how code scanning groups SARIF analyses (it becomesrunAutomationDetails.idin SARIF), not the branch-protection status check name. [3][4]
Where to confirm the exact check name: open a PR → Checks tab (or the merge box) and copy the check’s displayed name; that exact string is what branch protection “Require status checks” will list.
Sources:
[1] GitHub Docs – About protected branches (required checks / unique job names) (docs.github.com)
[2] GitHub Docs – Viewing code scanning logs (default setup workflow run shows “CodeQL”) (docs.github.com)
[3] GitHub Docs – Uploading a SARIF file to GitHub (upload-sarif, optional category) (docs.github.com)
[4] GitHub Docs – Customizing advanced setup for code scanning (how category is generated and used) (docs.github.com)
Citations:
- 1: https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches?utm_source=openai
- 2: https://docs.github.com/en/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs?utm_source=openai
- 3: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/uploading-a-sarif-file-to-github?learn=code_security_integration&utm_source=openai
- 4: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security&utm_source=openai
Clarify check name for non‑CodeQL tools.
The check name is determined by the GitHub Actions workflow and job names, not a fixed value. For CodeQL's default setup, the check is typically named "CodeQL", but repositories using third-party code scanning tools (Trivy, Semgrep, etc.) or custom SARIF upload workflows will have different check names. Revise to indicate this varies by configuration:
Suggested wording
- If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "CodeQL" check must pass before you can merge the pull request.
+ If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, the required code scanning check must pass before you can merge the pull request. (The check name depends on your workflow configuration—for example, **CodeQL** for the default CodeQL setup.)🤖 Prompt for AI Agents
In
`@content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md`
at line 31, The statement that the "CodeQL" check must pass is misleading;
update the sentence in the triaging document so it explains that the required
status check name is determined by the GitHub Actions workflow and job names
(not a fixed "CodeQL" label) and that repositories using other scanners or
custom SARIF uploads may show different check names (eg. Trivy, Semgrep, or a
custom workflow); edit the sentence referencing "CodeQL" to say something like
"the required code-scanning check (named according to the repository's Actions
workflow/job, e.g., CodeQL, Trivy, Semgrep, or a custom SARIF upload) must pass"
and keep the existing protected-branches link.
| ### {% data variables.product.prodname_code_scanning_capc %} results check | ||
|
|
||
| For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **{% data variables.product.prodname_code_scanning_capc %} results**. The results for each analysis tool used are shown separately. Any new alerts caused by changes in the pull request are shown as annotations. | ||
| For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **CodeQL**. The results for each analysis tool used are shown separately. Any new alerts caused by changes in the pull request are shown as annotations. |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub code scanning check name SARIF uploads third-party tools
💡 Result:
For SARIF uploads from third-party tools, the pull request check name you’ll see (and can require as a branch protection status check) is:
Code scanning results(this is the single results check; results from each tool are shown separately within it). [1]
If you upload multiple SARIF files for the same commit, use a distinct category (via the upload-sarif action input or runAutomationDetails.id) to keep analyses separate—but this doesn’t change the check’s name; it controls how results are grouped/overwritten. [2][3]
Sources: [1] [2] [3]
🌐 Web query:
GitHub code scanning "CodeQL" check name configuration
💡 Result:
In GitHub code scanning with CodeQL, there are two different “names” people often mean:
1) The GitHub Checks / status check name shown on PRs
This comes from your workflow YAML, not from CodeQL itself:
- The workflow name is the top-level
name:(commonly set toCodeQL). This is what shows up as the workflow label (and in badges). (learn.microsoft.com) - The job name (
jobs.<job_id>.name) also affects what you see in the Checks UI (often something like “Analyze”). (docs.github.com)
So, in advanced setup, you “configure the check name” by renaming the workflow and/or job, e.g.:
name: "Security - Code Scanning"
jobs:
analyze:
name: "CodeQL (PR)"In default setup, GitHub manages the workflow for you, so you generally can’t meaningfully rename the check the same way. (docs.github.com)
2) The Code scanning run identity (how uploads are distinguished/grouped)
If your real goal is to make CodeQL runs distinguishable (monorepo, multiple languages, multiple workflows), use the category: input on github/codeql-action/analyze. (docs.github.com)
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "backend/java"If you don’t set category, GitHub auto-generates one from the workflow file path, action name, and matrix vars. (docs.github.com)
Citations:
- 1: https://learn.microsoft.com/en-us/dotnet/devops/dotnet-secure-github-action?utm_source=openai
- 2: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security&utm_source=openai
- 3: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/configuring-default-setup-for-code-scanning?learn=code_security_actions&utm_source=openai
- 4: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security&utm_source=openai
- 5: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security&utm_source=openai
🌐 Web query:
GitHub documentation code scanning check results name different tools
💡 Result:
In GitHub code scanning, the “tool name” shown in the UI (and used for filtering) comes from the SARIF run’s tool metadata:
- Set the tool name in SARIF at
runs[].tool.driver.name(this is what GitHub displays as the tool name). (docs.github.com)
To get separate code-scanning “analyses / check results” for different tools (or multiple analyses of the same tool), GitHub distinguishes uploads by (tool, category):
- Use the workflow/action input
category(forgithub/codeql-action/analyzeorgithub/codeql-action/upload-sarif) to set the SARIFrunAutomationDetails.id(“category”) so multiple analyses don’t get merged. (docs.github.com) - Since July 22, 2025, GitHub no longer combines multiple SARIF runs that share the same tool and category (and may reject uploads that rely on that behavior), so you must ensure each run has a distinct tool and/or category when you want separate results. (github.blog)
Citations:
- 1: https://docs.github.com/fr/code-security/reference/code-scanning/sarif-support-for-code-scanning?utm_source=openai
- 2: https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/configure-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security&utm_source=openai
- 3: https://github.blog/changelog/2025-07-22-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file?utm_source=openai
The documentation incorrectly claims "CodeQL" is the universal check name for all code scanning configurations.
The check name varies by tool type:
- SARIF uploads and third-party tools use the check name
Code scanning results(not "CodeQL") - CodeQL workflows display whatever name is set in the workflow YAML (
name:and jobname:fields), which defaults to "CodeQL" but is customizable in advanced setups
Results from each tool are shown separately within the respective check. Update the documentation to distinguish between CodeQL-specific and third-party/SARIF configurations, or clarify that "CodeQL" is the default label only for CodeQL workflows.
🤖 Prompt for AI Agents
In
`@content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md`
at line 39, The sentence incorrectly states that the check containing code
scanning results is always "CodeQL"; update the text to clarify that CodeQL
workflows default to the "CodeQL" label but can be renamed via the workflow YAML
(the workflow `name:` and job `name:` fields), whereas SARIF uploads and
third‑party tools use the check name "Code scanning results"; modify the
paragraph to distinguish CodeQL-specific behavior from SARIF/third‑party
behavior and mention both the default "CodeQL" label and the "Code scanning
results" check name.
2 participants
Why:
Closes:
What's being changed (if available, include any code snippets, screenshots, or gifs):
Check off the following:
I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).
datadirectory.For content changes, I have completed the self-review checklist.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.