Aditya Sharad

> HI 👋🏻 How can I securely integrate a GitHub token as a parameter for reporting in GitHub issues within a CI/CD pipeline, ensuring both the confidentiality of the token...

Two possibilities come to mind: - If you've just created the copy, then Defender might be scanning the newly-created files. - Does an existing CodeQL process have a lock on...

`codeql database analyze` is capable of producing CSV output instead of SARIF, with the flag [`--format=csv`](https://codeql.github.com/docs/codeql-cli/manual/database-analyze/#cmdoption-codeql-database-analyze-format). Each CSV row includes information about the query as well as the alert. This...

> Actually I am looking to break a build if there are any high severity alerts identified just after analyze step Are you uploading the CodeQL results to GitHub code...

Hi @sad-dev. The QL evaluator will already evaluate the predicates that make up a query in parallel where possible, when the number of threads is configured as you have done....

Thanks for reporting this! We have a fix in progress that will make it into a future version of CodeQL, most likely 2.6.0.

To handle spaces in your command arguments, I believe the safest approach is to create a separate batch script that contains your build command, and invoke that from `codeql database...

Thanks @scarletyyang for reaching out here and privately: we'll try this out with the latest version of CodeQL and report back next week with guidance.

@thor509 I believe your assessment is correct. `aosp/frameworks/base/core/java/android/app/PendingIntent.java` is the actual source class, and the others are stubs produced during the build process. The CodeQL Java extractor currently assumes that...

Thanks for the suggestion! To give you some insight about what happens under the hood in the CodeQL engine, `matches("...%")` gets translated into an operation like `startsWith("...")`, and similarly `matches("%...")`...