docs
docs copied to clipboard
github
Arguments and options for `codeql database analyze` with `--download` example
[maintainer edit] This issue is reserved for the MLH Fellowship program.
Code of Conduct
- [X] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#basic-example-2
What part(s) of the article would you like to see updated?
In the following example command in this article, I wonder if the order of arguments and options is correct because the repo /codeql-dbs/example-repo is located after --download.
Also --github-auth-stdin is needed because the token $OCTO-ORG_ACCESS_TOKEN is from stdin..
$ echo $OCTO-ORG_ACCESS_TOKEN | codeql database analyze --download /codeql-dbs/example-repo \
octo-org/security-queries \
octo-org/optional-security-queries@~1.0.1:queries/csrf.ql \
--format=sarif-latest --output=/temp/example-repo-js.sarif
Additional information
Content Plan
See plan here.
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
@horihiro Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is a gentle bump for the docs team that this issue is waiting for technical review.
@horihiro 👋🏻 We've checked with the CodeQL team and:
-
The command-line parser we use allows flags and positional arguments to be intermixed freely, so the order of
--downloadbefore the/codeql-dbs/example-repopath is allowed here. -
The second point is a bit more nuanced in that the example you provided should include both
echo $TOKENand--github-auth-stdin, or neither. The team's preference was “neither” with the suggestion to add that the user should set the token in GITHUB_TOKEN: -
Neither - set the token in the env variable
GITHUB_TOKEN, noecho $TOKEN, no--github-auth-stdin. -
Both - do nothing involving
GITHUB_TOKEN, addecho $TOKENand add--github-auth-stdin.
Also, to avoid confusion, the team suggests that the example just after this one should also explicitly include --github-auth-stdin.
A final suggestion is that, for best security practices, echo $TOKEN should really be cat file-with-my-token.
Does this make sense to you?
@horihiro Thanks again for opening this issue. You or anyone else are welcome to work on this following the suggestions above 💖
A stale label has been added to this issue becuase it has been open for 60 days with no activity. To keep this issue open, add a comment within 3 days.
A stale label has been added to this issue becuase it has been open for 60 days with no activity. To keep this issue open, add a comment within 3 days.