Repo sync

content/code-security/concepts/code-scanning/setup-types.md

@@ -1,7 +1,7 @@
 ---
 title: About setup types for code scanning
 shortTitle: Setup types
-intro: Depending on your needs, {% data variables.product.github %} offers a default or advanced setup for code scanning.
+intro: Depending on your needs, {% data variables.product.github %} offers a default or advanced setup for {% data variables.product.prodname_code_scanning %}.
 topics:
   - Code Security
   - Code scanning
@@ -14,7 +14,7 @@ contentType: concepts
 
 ## About default setup
 
-Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in your repository will be scanned:
+Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in your repository will be scanned using {% data variables.product.prodname_codeql %}:
 
 * On each push to the repository's default branch, or any protected branch. For more information on protected branches, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches).
 * When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.
@@ -46,16 +46,25 @@ Unless you have a specific use case, we recommend that you only assign runners w
 
 ## About advanced setup
 
-Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use.
+Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. You can set up {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_actions %} or an external continuous integration or continuous delivery/deployment (CI/CD) system.
 
-{% ifversion fpt or ghec %}
-You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools.
+{% data reusables.code-scanning.about-multiple-configurations-link %}
+
+### With {% data variables.product.prodname_actions %}
 
-{% else %}
+By creating and editing a {% data variables.product.prodname_actions %} workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use.
+
+{% ifversion ghes %}
 Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions).
 {% endif %}
 
-{% data reusables.code-scanning.about-multiple-configurations-link %}
+### With a third-party CI/CD system
+
+As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.github %} using {% data variables.product.prodname_actions %}, you can analyze code in an external CI/CD system, then upload the results to {% data variables.product.github %}.
+
+The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli) and [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning).
+
+Alerts for {% data variables.product.prodname_code_scanning %} that you generate externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you generate within {% data variables.product.github %}.
 
 ## Next steps
 

content/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/using-code-scanning-with-your-existing-ci-system.md

@@ -27,16 +27,8 @@ contentType: how-tos
 
 {% data reusables.code-scanning.enterprise-enable-code-scanning %}
 
-## About using {% data variables.product.prodname_code_scanning %} with your existing CI system
-
 As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.github %} using {% data variables.product.prodname_actions %}, you can analyze code in an external continuous integration or continuous delivery/deployment (CI/CD) system, then upload the results to {% data variables.product.github %}.
 
-You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information about the supported SARIF format, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning).
-
-The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli).
-
-Alerts for {% data variables.product.prodname_code_scanning %} that you generate externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you generate within {% data variables.product.github %}. {% data reusables.code-scanning.about-multiple-configurations-link %}
-
 {% data reusables.code-scanning.upload-sarif-ghas %}
 
 ## Setting up your analysis tool

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode.md

@@ -53,7 +53,7 @@ The file to write the desired output to.
 #### `-r, --result-set=<name>`
 
 Select a particular result set from the BQRS file to decode. The
-available results sets can be listed by [codeql bqrs info](/code-security/codeql-cli/codeql-cli-manual/bqrs-info).
+available results sets can be listed by [codeql bqrs info](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info).
 
 If no result set is selected, all result sets will be decoded, provided
 the selected output format and processing options support that.
@@ -116,7 +116,7 @@ at the top, or at the location given by `--start-at`.
 #### `--start-at=<offset>`
 
 \[Advanced] Start printing the row defined at a particular byte offset
-in the BQRS file. The offset must be gotten from [codeql bqrs info](/code-security/codeql-cli/codeql-cli-manual/bqrs-info), or from the "next" pointer found in JSON output from a previous invocation with `--rows`
+in the BQRS file. The offset must be gotten from [codeql bqrs info](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info), or from the "next" pointer found in JSON output from a previous invocation with `--rows`
 set. Other offsets are likely to produce nonsense output and/or explicit
 errors.
 

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-info.md

@@ -41,7 +41,7 @@ names and sizes of each result set (table) in the BQRS file, and the
 column types of each result set.
 
 It can also optionally precompute offsets for using the pagination
-options of [codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode). This is mainly useful for IDE plugins.
+options of [codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode). This is mainly useful for IDE plugins.
 
 ## Options
 
@@ -61,7 +61,7 @@ Select output format, either `text` _(default)_ or `json`.
 
 \[Advanced] When given together with `--format=json`, compute a table
 of byte offsets that can later be given to the `--start-at` option of
-[codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode), to start streaming results at positions 0, _\<num>_, 2\*_\<num>_, and so
+[codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode), to start streaming results at positions 0, _\<num>_, 2\*_\<num>_, and so
 forth.
 
 #### `--paginate-result-set=<name>`

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze.md

@@ -42,9 +42,9 @@ Run a query suite (or some individual queries) against a CodeQL
 database, producing results, styled as alerts or paths, in SARIF or
 another interpreted format.
 
-This command combines the effect of the [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) and [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results) commands. If you want to run queries whose results _don't_ meet the requirements for
+This command combines the effect of the [codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) and [codeql database interpret-results](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results) commands. If you want to run queries whose results _don't_ meet the requirements for
 being interpreted as source-code alerts, use
-[codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run) instead, and then [codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode) to convert the raw results to a readable notation.
+[codeql database run-queries](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run) instead, and then [codeql bqrs decode](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode) to convert the raw results to a readable notation.
 
 ## Options
 
@@ -152,7 +152,7 @@ all queries. It loads query help for /path/to/query.ql from the
 /path/to/query.md file. If this flag is not supplied the default
 behavior is to include help only for custom queries i.e. those in query
 packs which are not of the form \`codeql/\<lang\&rt;-queries\`. This
-option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret).
 
 #### `--sarif-include-query-help=<mode>`
 
@@ -167,7 +167,7 @@ queries i.e. those in query packs which are not of the form
 
 `never`: Do not include query help for any queries.
 
-This option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+This option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret).
 
 Available since `v2.15.2`.
 
@@ -182,7 +182,7 @@ Available since `v2.18.1`.
 
 \[SARIF formats only] Place the rule object for each query under its
 corresponding QL pack in the `<run>.tool.extensions` property. This
-option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+option has no effect when passed to [codeql bqrs interpret](/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret).
 
 #### `--[no-]sarif-multicause-markdown`
 
@@ -317,7 +317,7 @@ timed parts are "RA layers" of the optimized query, but that might
 change in the future.
 
 If no timeout is specified, or is given as 0, no timeout will be set
-(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes).
+(except for [codeql test run](/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes).
 
 #### `-j, --threads=<num>`
 
@@ -340,7 +340,7 @@ be discarded after the queries have been executed.
 #### `--[no-]keep-full-cache`
 
 \[Advanced] Don't clean up the disk cache after evaluation completes.
-This may save time if you're going to do [codeql dataset cleanup](/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/codeql-cli/codeql-cli-manual/database-cleanup) afterwards anyway.
+This may save time if you're going to do [codeql dataset cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway.
 
 #### `--max-disk-cache=<MB>`
 

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-bundle.md

@@ -79,6 +79,13 @@ Available since `v2.13.3`.
 Include an uncompressed version of the source archive directory. This is
 necessary for legacy CodeQL plugins (like CodeQL for Eclipse).
 
+#### `--include=<include>`
+
+\[Advanced] Additional paths relative to the database directory to
+include in the bundle.
+
+Available since `v2.24.0`.
+
 #### `--name=<name>`
 
 The name of the top-level directory in the bundle. If not given, it

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create.md

@@ -74,7 +74,7 @@ delete the entire database directory.
 on how to create the CodeQL databases and what queries to run in later
 steps. For more details on the format of this configuration file, refer
 to [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). To run queries from
-this file in a later step, invoke [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) without any other queries specified.
+this file in a later step, invoke [codeql database analyze](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze) without any other queries specified.
 
 #### `--[no-]db-cluster`
 
@@ -86,7 +86,7 @@ directory given on the command line.
 
 The language that the new database will be used to analyze.
 
-Use [codeql resolve languages](/code-security/codeql-cli/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path.
+Use [codeql resolve languages](/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-languages) to get a list of the pluggable language extractors found on the search path.
 
 When the `--db-cluster` option is given, this can appear multiple times,
 or the value can be a comma-separated list of languages.
@@ -173,7 +173,7 @@ will be left unfinalized.
 
 #### `--[no-]linkage-aware-import`
 
-\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation
+\[Advanced] Controls whether [codeql dataset import](/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation
 consumes too much memory, disabling this option may help them progress
 at the expense of database completeness.
 
@@ -349,10 +349,10 @@ will use all the values provided, in order. Extractor options specified
 using this command-line option are processed after extractor options
 given via `--extractor-options-file`.
 
-When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
+When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
-[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
+[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
 
 See <https://codeql.github.com/docs/codeql-cli/extractor-options> for
 more information on CodeQL extractor options, including how to list the
@@ -375,10 +375,10 @@ will use all the values provided, in order. Extractor options specified
 using this command-line option are processed before extractor options
 given via `--extractor-option`.
 
-When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
+When passed to [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
-[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
+[codeql database trace-command](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
 
 See <https://codeql.github.com/docs/codeql-cli/extractor-options> for
 more information on CodeQL extractor options, including how to list the

content/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics.md

@@ -47,7 +47,7 @@ Available since `v2.12.6`.
 #### `<database>`
 
 \[Mandatory] Path to the CodeQL database under construction. This must
-have been prepared for extraction with [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init).
+have been prepared for extraction with [codeql database init](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-init).
 
 If the `--db-cluster` option is given, this is not a database itself,
 but a directory that _contains_ databases, and all of those databases