You can save analysis results from the CodeQL CLI in a number of different formats, including SARIF and CSV. We do generally recommend SARIF because it is a standard output for static analysis tools and easier to parse. You can also upload SARIF files to GitHub Enterprise Server. However, CSV format may be useful if you need to further process the analysis results using your own tools. For more information on selecting a file format for your analysis results, see "database analyze."
For more information about the SARIF format, see CodeQL CLI SARIF output.
If you choose to generate results in CSV format, then each line in the output file corresponds to an alert. Each line is a comma-separated list with the following information.
|Name of the query that identified the result.
Inefficient regular expression
|Description of the query.
A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.
|Severity of the query.
This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\'.
|Path of the file containing the alert.
|Line of the file where the code that triggered the alert begins.
|Column of the start line that marks the start of the alert code. Not included when equal to 1.
|Line of the file where the code that triggered the alert ends. Not included when the same value as the start line.
|Where available, the column of the end line that marks the end of the alert code. Otherwise the end line is repeated.