Skip to main content

github upload-results

Uploads a SARIF file to GitHub code scanning.

Who can use this feature?

GitHub CodeQL is licensed on a per-user basis upon installation. You can use CodeQL only for certain tasks under the license restrictions. For more information, see "About the CodeQL CLI."

If you have a GitHub Advanced Security license, you can use CodeQL for automated analysis, continuous integration, and continuous delivery. For more information, see "About GitHub Advanced Security."

This content describes the most recent release of the CodeQL CLI. For more information about this release, see

To see details of the options available for this command in an earlier release, run the command with the --help option in your terminal.


codeql github upload-results --sarif=<file> [--github-auth-stdin] [--github-url=<url>] [--repository=<repository-name>] [--ref=<ref>] [--commit=<commit>] [--checkout-path=<path>] <options>...


Uploads a SARIF file to GitHub code scanning.

See: Uploading CodeQL analysis results to GitHub

A GitHub Apps token or personal access token must be set. For best security practices, it is recommended to set the --github-auth-stdin flag and pass the token to the command through standard input. Alternatively, the GITHUB_TOKEN environment variable can be set.

This token must have the security_events scope.


Primary Options

-s, --sarif=<file>

[Mandatory] Path to the SARIF files to use. This should be the output of codeql database analyze (or codeql database interpret-results) with --format sarif-latest for upload to or the appropriate supported format tag for GitHub Enterprise Server instances (see SARIF support for code scanning for SARIF versions supported by your release).

-r, --repository=<repository-name>

GitHub repository owner and name (e.g., github/octocat) to use as an endpoint for uploading. The CLI will attempt to autodetect this from the checkout path if it is omitted.

-f, --ref=<ref>

Name of the ref that was analyzed. If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR). Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.

-c, --commit=<commit>

SHA of commit that was analyzed. If this is omitted the CLI will attempt to autodetect this from the checkout path.

-p, --checkout-path=<path>

Checkout path. Default is the current working directory.


[Advanced] Allow more than one SARIF file to be specified, and merge these into a single file before uploading. This is only recommended for backwards compatibility. For new analyses it is recommended to upload two separate SARIF files with different categories. This option only works in conjunction with SARIF files produced by CodeQL with SARIF version 2.1.0 (this is the default version of SARIF used by CodeQL).


By default, the CLI will wait for GitHub to process the SARIF file for a maximum of 2 minutes, returning a non-zero exit code if there were any errors during processing of the analysis results. You can customize how long the CLI will wait wait with --wait-for-processing-timeout, or disable the feature with --no-wait-for-processing.


The maximum time the CLI will wait for the uploaded SARIF file to be processed by GitHub, in seconds. The default is 120 seconds (2 minutes). This option is only valid when --wait-for-processing is enabled.


Select output format. Choices include:

text (default): Print the URL for tracking the status of the SARIF upload.

json: Print the response body of the SARIF upload API request.

See also: REST API endpoints for code scanning

Options to configure where to upload SARIF files.

-a, --github-auth-stdin

Accept a GitHub Apps token or personal access token via standard input.

This overrides the GITHUB_TOKEN environment variable.

-g, --github-url=<url>

URL of the GitHub instance to use. If omitted, the CLI will attempt to autodetect this from the checkout path and if this is not possible default to

Common options

-h, --help

Show this help text.


[Advanced] Give option to the JVM running the command.

(Beware that options containing spaces will not be handled correctly.)

-v, --verbose

Incrementally increase the number of progress messages printed.

-q, --quiet

Incrementally decrease the number of progress messages printed.


[Advanced] Explicitly set the verbosity level to one of errors, warnings, progress, progress+, progress++, progress+++. Overrides -v and -q.


[Advanced] Write detailed logs to one or more files in the given directory, with generated names that include timestamps and the name of the running subcommand.

(To write a log file with a name you have full control over, instead give --log-to-stderr and redirect stderr as desired.)


[Advanced] Controls the location of cached data on disk that will persist between several runs of the CLI, such as downloaded QL packs and compiled query plans. If not set explicitly, this defaults to a directory named .codeql in the user's home directory; it will be created if it doesn't already exist.

Available since v2.15.2.