From 5cd7e0a7618a0e8c72f1403213cbaf80543ce0e1 Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Fri, 19 Dec 2025 02:43:36 -0500
Subject: [PATCH 1/2] Link directly to the list of query suites - Avoids an
 extra click (#58967)

---
 .../codeql-query-suites.md                                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md
index 05db773b20..5d890931ae 100644
--- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md
+++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md
@@ -44,7 +44,7 @@ The built-in {% data variables.product.prodname_codeql %} query suites, `default
 * Relative to the `default` query suite, the `security-extended` suite may return a greater number of false positive {% data variables.product.prodname_code_scanning %} results.
 * This query suite is available for use with default setup for {% data variables.product.prodname_code_scanning %}, and is referred to as the "Extended" query suite on {% data variables.product.prodname_dotcom %}.
 
-For a complete list of queries included in each query suite for every language, see [AUTOTITLE](/code-security/code-scanning/reference).
+For a complete list of queries included in each query suite for every language, see [AUTOTITLE](/code-security/code-scanning/reference/code-ql-built-in-queries).
 
 ## Further reading
 

From 0375f9981128b688ea11f6b8acf768bce007de2f Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 08:17:20 +0000
Subject: [PATCH 2/2] Add network requirements for self-hosted runners with
 automatic dependency submission (#58851)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 ...pendency-submission-for-your-repository.md | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md
index 7daf5c5280..32ea2f9797 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md
@@ -69,6 +69,57 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r
 
 >[!NOTE] For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see [Security and Deployment Settings](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies) in the Maven documentation.
 
+### Configuring network access for self-hosted runners
+
+If your self-hosted runners operate behind a firewall with restricted outbound internet access, you must add certain URLs to the allowlist for automatic dependency submission. The required URLs depend on the ecosystems your repositories use.
+
+#### Required URLs for all ecosystems
+
+These URLs are required for all automatic dependency submission workflows:
+
+* `https://github.com`—Required for accessing {% data variables.product.github %} and downloading actions.
+* `https://api.github.com`—Required for {% data variables.product.github %} API access.
+* `https://*.githubusercontent.com`—Required for downloading action source code and releases (including `raw.githubusercontent.com`, `github-releases.githubusercontent.com`, and `objects.githubusercontent.com`).
+
+#### Ecosystem-specific URLs
+
+Depending on the ecosystems you use, you may need to allowlist additional URLs.
+
+##### Go
+
+* `https://go.dev`—For downloading the Go toolchain.
+* `https://golang.org`—Alternate domain for Go downloads.
+* `https://proxy.golang.org`—Official Go module proxy for downloading Go modules during dependency detection.
+
+> [!NOTE]
+> The `actions/go-versions` repository is accessed via `https://raw.githubusercontent.com`, which is already covered in the general requirements.
+
+##### Java (Maven and Gradle)
+
+* `https://repo.maven.apache.org`—Maven Central repository for downloading dependencies.
+* `https://api.adoptium.net`—For downloading Adoptium/Temurin JDK distributions (default distribution used by `actions/setup-java`).
+
+If you use a different JDK distribution, you may also need:
+* `https://aka.ms` and `https://download.microsoft.com`—For Microsoft Build of OpenJDK (note: `aka.ms` is also used for .NET downloads).
+* `https://download.oracle.com`—For Oracle JDK.
+* `https://api.azul.com`—For Azul Zulu OpenJDK.
+
+##### .NET (C#, F#, Visual Basic)
+
+* `https://aka.ms`—Microsoft URL shortener that redirects to .NET download locations.
+* `https://builds.dotnet.microsoft.com`—Primary feed for .NET SDK and runtime downloads.
+* `https://ci.dot.net`—Secondary feed for .NET builds.
+
+> [!NOTE]
+> The `microsoft/component-detection` tool used by .NET autosubmission is downloaded from  {% data variables.product.github %}  releases, which is already covered in the general requirements (`https://github.com` and `https://*.githubusercontent.com`).
+
+##### Python
+
+* `https://python.org`—For downloading Python interpreters.
+
+> [!NOTE]
+> The `actions/python-versions` repository and `microsoft/component-detection` releases are accessed via URLs already covered in the general requirements (`https://*.githubusercontent.com` and `https://github.com`).
+
 ## Using {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission
 
 {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs.