In the previous units, you created a database and analyzed the files extracted from your code. You can now review the results and determine whether there are security vulnerabilities to fix.

Viewing CodeQL Analysis Results

The results of interpreted queries are automatically displayed in the source code via the CodeQL extension for Visual Studio Code.
Results generated by the CodeQL CLI can be produced in multiple formats, compatible with various tools.

You can control how results are displayed in the source code by modifying the select statement of a query. This helps make results clearer and more understandable for other users during query development.

When writing your own queries in the query console or in the CodeQL extension for VS Code, there are no constraints on what you can select.

However, if you want to use a query to generate alerts in GitHub code scanning or produce valid results via the CodeQL CLI, you must format the select statement according to the expected requirements.

Acting on Code Scanning Alerts

You can configure code scanning to check the code in a repository. You can use:

• Default CodeQL analysis
• Non-Microsoft analysis
• Other types of analysis

The generated alerts are displayed side by side in the repository.

GitHub’s default CodeQL analysis may include more properties in alerts than non-Microsoft tools or custom queries.
In a default workflow, code scanning runs periodically on the main branch and during pull requests.

Each alert includes the following information:

• The issue detected in the code and the name of the tool that identified it
• The line of code that triggered the alert
• Alert properties, such as severity
• Security severity
• When the issue was introduced
• The nature of the problem

When CodeQL identifies an alert, it also provides information on how to fix the issue.
Additionally, CodeQL analysis can detect data flow problems in your code.

Data-Flow Alerts

Data-flow analysis helps detect potential security issues in code, including:

• Using data in a way that compromises security
• Passing dangerous arguments to functions
• Leaking sensitive information

GitHub shows you how data flows through the code when code scanning reports data-flow alerts. These alerts help you identify areas of your code that may leak sensitive information, which can allow you to spot potential entry points for malicious attacks.

Severity Levels

Any code scanning result with a severity of Error causes the check to fail by default.
The severity levels for alerts are:

• Error
• Warning
• Note

You can define the severity level at which a pull request should fail if it triggers a code scanning alert.

Security Severity Levels

Security queries generated by code scanning display security severity levels:

• Critical
• High
• Medium
• Low

GitHub uses CVSS (Common Vulnerability Scoring System) data to calculate the security severity of an alert.

By default, any alert with Critical or High severity causes the check to fail.
You can customize the security severity level at which an alert should trigger a failure.

Closing a Code Scanning Alert

You have two ways to close an alert:

• Fix the issue in the code
• Dismiss or delete the alert

Dismissing a Code Scanning Alert

Dismissing an alert means you choose not to fix it.
For example, you might dismiss an alert related to code used only for testing, or if the effort required to fix the issue outweighs the expected benefits.

You can dismiss an alert from annotations in the code or from the summary list in the repository’s Security tab.

To dismiss an alert from the list:

• Click the Dismiss alert menu
• Select a reason for dismissal
• Click the Dismiss alert button

When You Dismiss an Alert:

• The alert is dismissed across all branches.
• It is removed from the count of active alerts for your project.
• It is moved to the list of closed alerts in the summary. You can reopen it from there if necessary.
• The reason for closing is recorded.
• During the next scan, the same code will not generate the alert again.

Deleting a Code Scanning Alert

You can delete an alert if you have administrator rights on the repository. Deletion is useful in the following cases:

• You set up a code scanning tool but later decide to remove it.
• You configured CodeQL analysis with a broader set of queries than you want to keep.
• You removed certain queries from the tool.
• You want to clean up code scanning results.

You can delete alerts from the summary list in the repository’s Security tab.

When You Delete an Alert:

• The alert is deleted across all branches.
• It is removed from the count of active alerts for your project.
• It does not appear in the list of closed alerts.
• The alert will reappear in the analysis results if the relevant code remains unchanged and the same analysis tool is rerun without configuration changes.