[Ready to ship] Code scanning: Allow upload of multiple SARIF files for 3rd party CI/CD (GA) (#19205)

* made a start * more work * fix typos and add dotcom example SARIF file * start addressing comments * address more comments * addressed more comments * address outstanding comments * Apply suggestions from code review Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Marco Gario <marcogario@github.com> * address more comments * Update content/code-security/secure-coding/sarif-support-for-code-scanning.md Co-authored-by: Laura Coursen <lecoursen@github.com> * more improvements * remove run id text * address comment on CodeQL runner * more improvements Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Marco Gario <marcogario@github.com>
2025-12-22 03:16:52 -05:00 · 2021-05-13 13:38:52 +01:00
parent 37c8d242a4
commit ab288ad20a
5 changed files with 337 additions and 5 deletions
--- a/content/code-security/secure-coding/configuring-code-scanning.md
+++ b/content/code-security/secure-coding/configuring-code-scanning.md
@@ -223,6 +223,35 @@ jobs:
 ```
 {% endif %}

+{% if currentVersion == "free-pro-team@latest" %}
+### Configuring a category for the analysis
+
+Use `category` to distinguish between multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. The category you specify in your workflow will be included in the SARIF results file. 
+
+This parameter is particularly useful if you work with monorepos and have multiple SARIF files for different components of the monorepo.
+
+{% raw %}
+``` yaml
+   - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze
+      with:
+      # Optional. Specify a category to distinguish between multiple analyses
+      # for the same tool and ref. If you don't use `category` in your workflow, 
+      # GitHub will generate a default category name for you
+       category: "my_category"
+```
+{% endraw %}
+
+If you don't specify a `category` parameter in your workflow, {% data variables.product.prodname_dotcom %} will generate a category name for you, based on the name of the workflow file triggering the action, the action name, and any matrix variables. For example:
+- The `.github/workflows/codeql-analysis.yml` workflow and the `analyze` action will produce the category `.github/workflows/codeql.yml:analyze`.
+- The `.github/workflows/codeql-analysis.yml` workflow, the `analyze` action, and the `{language: javascript, os: linux}` matrix variables will produce the category `.github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux`.
+
+The `category` value will appear as the `<run>.automationDetails.id` property in SARIF v2.1.0. For more information, see "[SARIF support for {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/sarif-support-for-code-scanning#runautomationdetails-object)." 
+
+Your specified category will not overwrite the details of the `runAutomationDetails` object in the SARIF file, if included.
+
+{% endif %}
+
 ### Running additional queries

 {% data reusables.code-scanning.run-additional-queries %}