Code Scanning - Add section to highlight alert variants / additional paths (#61026)

sophietheking · Copilot · web-flow · commit e7a56f38a002 · 2026-05-18T13:13:59.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/assets/images/help/repository/multiple-paths-available.png b/assets/images/help/repository/multiple-paths-available.png
diff --git a/content/code-security/concepts/code-scanning/about-code-scanning-alerts.md b/content/code-security/concepts/code-scanning/about-code-scanning-alerts.md
@@ -64,6 +64,8 @@ If you configure {% data variables.product.prodname_code_scanning %} using {% da
 
 When {% data variables.product.prodname_code_scanning %} reports data-flow alerts, {% data variables.product.prodname_dotcom %} shows you how data moves through the code. {% data variables.product.prodname_code_scanning_caps %} allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users.
 
+In some cases, the same vulnerability can be reached through multiple code paths, for example, when several different functions pass user input to the same unsafe operation. {% data variables.product.prodname_code_scanning_caps %} groups these related paths under a single alert rather than creating separate alerts for each path, so you can see the full scope of the vulnerability in one place.
+
 {% data reusables.code-scanning.track-alert-in-issue %}
 
 ### About alerts from multiple configurations
diff --git a/content/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md b/content/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md
@@ -31,10 +31,14 @@ By default, the {% data variables.product.prodname_code_scanning %} alerts page
 
 {% data reusables.code-scanning.explore-alert %}
    {% data reusables.code-scanning.alert-default-branch %}
-1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used.
+1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used. The path view shows each step in the data flow as a numbered list, from the point where user-provided data enters the code (the source) to the point where it's used in a potentially unsafe operation (the sink).
 
    ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Show paths" and "Show more" links are outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-details.png)
 
+   Some alerts identify multiple paths through the code that could trigger the same vulnerability. When an alert has multiple paths, a dropdown appears above the path view showing the number of paths available. You can select each path from the dropdown to review it individually.
+
+   ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert detail page showing the paths dropdown with "3 paths available".](/assets/images/help/repository/multiple-paths-available.png)
+
 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
 {% data reusables.security.alert-assignee-step %}
 
