{"meta":{"title":"github upload-results","intro":"Uploads a SARIF file to GitHub code scanning.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/reference","title":"Reference"},{"href":"/en/code-security/reference/code-scanning","title":"Code scanning"},{"href":"/en/code-security/reference/code-scanning/codeql","title":"CodeQL"},{"href":"/en/code-security/reference/code-scanning/codeql/codeql-cli-manual","title":"CodeQL CLI manual"},{"href":"/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results","title":"github upload-results"}],"documentType":"article"},"body":"# github upload-results\n\nUploads a SARIF file to GitHub code scanning.\n\n> \\[!NOTE]\n> This content describes the most recent release of the CodeQL CLI. For more information about this release, see <https://github.com/github/codeql-cli-binaries/releases>.\n>\n> To see details of the options available for this command in an earlier release, run the command with the <span style=\"white-space: nowrap;\">`--help`</span> option in your terminal.\n\n## Synopsis\n\n```shell copy\ncodeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>...\n```\n\n## Description\n\nUploads a SARIF file to GitHub code scanning.\n\nSee: [Uploading CodeQL analysis results to GitHub](/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github)\n\nA GitHub Apps token or personal access token must be set. For best\nsecurity practices, it is recommended to set the `--github-auth-stdin`\nflag and pass the token to the command through standard input.\nAlternatively, the `GITHUB_TOKEN` environment variable can be set.\n\nThis token must have the `security_events` scope.\n\n## Options\n\n### Primary Options\n\n#### `-s, --sarif=<file>`\n\n\\[Mandatory] Path to the SARIF files to use. This should be the output\nof [codeql database analyze](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or\nthe appropriate supported format tag for GitHub Enterprise Server\ninstances (see [SARIF support for code scanning](/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) for\nSARIF versions supported by your release).\n\n#### `-r, --repository=<repository-name>`\n\nGitHub repository owner and name (e.g., *github/octocat*) to use as an\nendpoint for uploading. The CLI will attempt to autodetect this from the\ncheckout path if it is omitted.\n\n#### `-f, --ref=<ref>`\n\nName of the ref that was analyzed. If this ref is a pull request merge\ncommit, then use *refs/pull/1234/merge* or *refs/pull/1234/head*\n(depending on whether or not this commit corresponds to the HEAD or\nMERGE commit of the PR). Otherwise, this should be a branch:\n*refs/heads/branch-name*. If omitted, the CLI will attempt to\nautomatically populate this from the current branch of the checkout\npath, if this exists.\n\n#### `-c, --commit=<commit>`\n\nSHA of commit that was analyzed. If this is omitted the CLI will attempt\nto autodetect this from the checkout path.\n\n#### `-p, --checkout-path=<path>`\n\nCheckout path. Default is the current working directory.\n\n#### `--merge`\n\n\\[Advanced] Allow more than one SARIF file to be specified, and merge\nthese into a single file before uploading. This is only recommended for\nbackwards compatibility. For new analyses it is recommended to upload\ntwo separate SARIF files with different categories. This option only\nworks in conjunction with SARIF files produced by CodeQL with SARIF\nversion 2.1.0 (this is the default version of SARIF used by CodeQL).\n\n#### `--no-wait-for-processing`\n\nBy default, the CLI will wait for GitHub to process the SARIF file for a\nmaximum of 2 minutes, returning a non-zero exit code if there were any\nerrors during processing of the analysis results. You can customize how\nlong the CLI will wait with `--wait-for-processing-timeout`, or disable\nthe feature with `--no-wait-for-processing`.\n\n#### `--wait-for-processing-timeout=<waitForProcessingTimeout>`\n\nThe maximum time the CLI will wait for the uploaded SARIF file to be\nprocessed by GitHub, in seconds. The default is 120 seconds (2 minutes).\nThis option is only valid when `--wait-for-processing` is enabled.\n\n#### `--format=<fmt>`\n\nSelect output format. Choices include:\n\n`text` *(default)*: Print the URL for tracking the status of the SARIF\nupload.\n\n`json`: Print the response body of the SARIF upload API request.\n\nSee also: [REST API endpoints for code scanning](/en/rest/code-scanning/code-scanning)\n\n### Options to configure where to upload SARIF files.\n\n#### `-a, --github-auth-stdin`\n\nAccept a GitHub Apps token or personal access token via standard input.\n\nThis overrides the GITHUB\\_TOKEN environment variable.\n\n#### `-g, --github-url=<url>`\n\nURL of the GitHub instance to use. If omitted, the CLI will attempt to\nautodetect this from the checkout path and if this is not possible\ndefault to <https://github.com/>\n\n### Common options\n\n#### `-h, --help`\n\nShow this help text.\n\n#### `-J=<opt>`\n\n\\[Advanced] Give option to the JVM running the command.\n\n(Beware that options containing spaces will not be handled correctly.)\n\n#### `-v, --verbose`\n\nIncrementally increase the number of progress messages printed.\n\n#### `-q, --quiet`\n\nIncrementally decrease the number of progress messages printed.\n\n#### `--verbosity=<level>`\n\n\\[Advanced] Explicitly set the verbosity level to one of errors,\nwarnings, progress, progress+, progress++, progress+++. Overrides `-v`\nand `-q`.\n\n#### `--logdir=<dir>`\n\n\\[Advanced] Write detailed logs to one or more files in the given\ndirectory, with generated names that include timestamps and the name of\nthe running subcommand.\n\n(To write a log file with a name you have full control over, instead\ngive `--log-to-stderr` and redirect stderr as desired.)\n\n#### `--common-caches=<dir>`\n\n\\[Advanced] Controls the location of cached data on disk that will\npersist between several runs of the CLI, such as downloaded QL packs and\ncompiled query plans. If not set explicitly, this defaults to a\ndirectory named `.codeql` in the user's home directory; it will be\ncreated if it doesn't already exist.\n\nAvailable since `v2.15.2`."}