Skip to content

Fix CodeQL status check name #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Madib036 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CodeQL status check name #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...or-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,15 @@ topics:

In repositories where {% data variables.product.prodname_code_scanning %} is configured as a pull request check, {% data variables.product.prodname_code_scanning %} checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within {% data variables.product.prodname_actions %} or in a third-party CI/CD system. If merging the changes would introduce new {% data variables.product.prodname_code_scanning %} alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the **Files changed** tab of the pull request. If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."

If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "{% data variables.product.prodname_code_scanning_capc %} results" check must pass before you can merge the pull request. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)."
If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "CodeQL" check must pass before you can merge the pull request. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)."
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub code scanning status check name CodeQL third-party SARIF tools documentation

💡 Result:

GitHub doesn’t have a special, fixed “code scanning / CodeQL” required status check name that you can rely on across setups. The “status checks” you can require in branch protection come from the Checks API check runs created by your workflow/jobs, so the name is determined by your GitHub Actions workflow name and job name(s). GitHub even warns to keep job names unique across workflows to avoid ambiguous required status checks. [1]

CodeQL (GitHub Actions)

  • Default setup runs as a workflow whose entry in Actions is named “CodeQL”. [2]
  • With the standard advanced CodeQL workflow, the PR check typically appears as <workflow name> / <job name> (for example, workflow name CodeQL with job names like Analyze (LANGUAGE)).

Third-party SARIF uploads

  • The check you can require is likewise the workflow/job that runs your tool and/or uploads SARIF (whatever you named it in YAML). [3]
  • The category input (or auto-generated category) affects how code scanning groups SARIF analyses (it becomes runAutomationDetails.id in SARIF), not the branch-protection status check name. [3][4]

Where to confirm the exact check name: open a PR → Checks tab (or the merge box) and copy the check’s displayed name; that exact string is what branch protection “Require status checks” will list.

Sources:
[1] GitHub Docs – About protected branches (required checks / unique job names) (docs.github.com)
[2] GitHub Docs – Viewing code scanning logs (default setup workflow run shows “CodeQL”) (docs.github.com)
[3] GitHub Docs – Uploading a SARIF file to GitHub (upload-sarif, optional category) (docs.github.com)
[4] GitHub Docs – Customizing advanced setup for code scanning (how category is generated and used) (docs.github.com)

Citations:

Clarify check name for non‑CodeQL tools.

The check name is determined by the GitHub Actions workflow and job names, not a fixed value. For CodeQL's default setup, the check is typically named "CodeQL", but repositories using third-party code scanning tools (Trivy, Semgrep, etc.) or custom SARIF upload workflows will have different check names. Revise to indicate this varies by configuration:

Suggested wording 
- If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "CodeQL" check must pass before you can merge the pull request.
+ If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, the required code scanning check must pass before you can merge the pull request. (The check name depends on your workflow configuration—for example, **CodeQL** for the default CodeQL setup.)
🤖 Prompt for AI Agents 
In
`@content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md`
at line 31, The statement that the "CodeQL" check must pass is misleading;
update the sentence in the triaging document so it explains that the required
status check name is determined by the GitHub Actions workflow and job names
(not a fixed "CodeQL" label) and that repositories using other scanners or
custom SARIF uploads may show different check names (eg. Trivy, Semgrep, or a
custom workflow); edit the sentence referencing "CodeQL" to say something like
"the required code-scanning check (named according to the repository's Actions
workflow/job, e.g., CodeQL, Trivy, Semgrep, or a custom SARIF upload) must pass"
and keep the existing protected-branches link.


## About {% data variables.product.prodname_code_scanning %} as a pull request check

There are many options for configuring {% data variables.product.prodname_code_scanning %} as a pull request check, so the exact setup of each repository will vary and some will have more than one check.

### {% data variables.product.prodname_code_scanning_capc %} results check

For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **{% data variables.product.prodname_code_scanning_capc %} results**. The results for each analysis tool used are shown separately. Any new alerts caused by changes in the pull request are shown as annotations.
For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **CodeQL**. The results for each analysis tool used are shown separately. Any new alerts caused by changes in the pull request are shown as annotations.
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub code scanning check name SARIF uploads third-party tools

💡 Result:

For SARIF uploads from third-party tools, the pull request check name you’ll see (and can require as a branch protection status check) is:

  • Code scanning results (this is the single results check; results from each tool are shown separately within it). [1]

If you upload multiple SARIF files for the same commit, use a distinct category (via the upload-sarif action input or runAutomationDetails.id) to keep analyses separate—but this doesn’t change the check’s name; it controls how results are grouped/overwritten. [2][3]

Sources: [1] [2] [3]

🌐 Web query:

GitHub code scanning "CodeQL" check name configuration

💡 Result:

In GitHub code scanning with CodeQL, there are two different “names” people often mean:

1) The GitHub Checks / status check name shown on PRs

This comes from your workflow YAML, not from CodeQL itself:

  • The workflow name is the top-level name: (commonly set to CodeQL). This is what shows up as the workflow label (and in badges). (learn.microsoft.com)
  • The job name (jobs.<job_id>.name) also affects what you see in the Checks UI (often something like “Analyze”). (docs.github.com)

So, in advanced setup, you “configure the check name” by renaming the workflow and/or job, e.g.:

name: "Security - Code Scanning"

jobs:
  analyze:
    name: "CodeQL (PR)"

In default setup, GitHub manages the workflow for you, so you generally can’t meaningfully rename the check the same way. (docs.github.com)

2) The Code scanning run identity (how uploads are distinguished/grouped)

If your real goal is to make CodeQL runs distinguishable (monorepo, multiple languages, multiple workflows), use the category: input on github/codeql-action/analyze. (docs.github.com)

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v4
  with:
    category: "backend/java"

If you don’t set category, GitHub auto-generates one from the workflow file path, action name, and matrix vars. (docs.github.com)

Citations:

🌐 Web query:

GitHub documentation code scanning check results name different tools

💡 Result:

In GitHub code scanning, the “tool name” shown in the UI (and used for filtering) comes from the SARIF run’s tool metadata:

  • Set the tool name in SARIF at runs[].tool.driver.name (this is what GitHub displays as the tool name). (docs.github.com)

To get separate code-scanning “analyses / check results” for different tools (or multiple analyses of the same tool), GitHub distinguishes uploads by (tool, category):

  • Use the workflow/action input category (for github/codeql-action/analyze or github/codeql-action/upload-sarif) to set the SARIF runAutomationDetails.id (“category”) so multiple analyses don’t get merged. (docs.github.com)
  • Since July 22, 2025, GitHub no longer combines multiple SARIF runs that share the same tool and category (and may reject uploads that rely on that behavior), so you must ensure each run has a distinct tool and/or category when you want separate results. (github.blog)

Citations:

The documentation incorrectly claims "CodeQL" is the universal check name for all code scanning configurations.

The check name varies by tool type:

  • SARIF uploads and third-party tools use the check name Code scanning results (not "CodeQL")
  • CodeQL workflows display whatever name is set in the workflow YAML (name: and job name: fields), which defaults to "CodeQL" but is customizable in advanced setups

Results from each tool are shown separately within the respective check. Update the documentation to distinguish between CodeQL-specific and third-party/SARIF configurations, or clarify that "CodeQL" is the default label only for CodeQL workflows.

🤖 Prompt for AI Agents 
In
`@content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md`
at line 39, The sentence incorrectly states that the check containing code
scanning results is always "CodeQL"; update the text to clarify that CodeQL
workflows default to the "CodeQL" label but can be renamed via the workflow YAML
(the workflow `name:` and job `name:` fields), whereas SARIF uploads and
third‑party tools use the check name "Code scanning results"; modify the
paragraph to distinguish CodeQL-specific behavior from SARIF/third‑party
behavior and mention both the default "CodeQL" label and the "Code scanning
results" check name.


{% ifversion fpt or ghes > 3.2 or ghae-issue-4902 %} To see the full set of alerts for the analyzed branch, click **View all branch alerts**. This opens the full alert view where you can filter all the alerts on the branch by type, severity, tag, etc. For more information, see "[Managing code scanning alerts for your repository](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#filtering-and-searching-for-code-scanning-alerts)."

Expand Down