How to disable particular rule by its ID from GitHub workflow?

[sungam3r]

Sorry but I did not find the answer in docs. For example, I want to disable cs/linq/missed-where.

#7937 (comment)

[aeisenberg]

There is no simple way to do this. You could create a custom query suite. In your workflow's codeql init step, you would specify a config file to use:

- uses: github/codeql-action/init@v1
  with:
    config-file: ./.github/codeql/codeql-config.yml

And then in the config file, you specify custom queries:

disable-default-queries: true
queries:
  - uses: ./github/codeql/suite.qls

And finally, you need to create the query suite itself:

- from: codeql/csharp-queries
  apply: codeql-suites/csharp-security-and-quality.qls
- exclude:
    query filename: MissedWhereOpportunity.ql

Using this, you will have control over exactly which queries you want to run.

[sungam3r]

Understandable but I know the opposite - what queries I don't want to run, i.e. opt-out behavior instead of opt-in.

[sungam3r]

I see a lof of false positives (actually all results in case of aforementioned rule) and I want to disable this particular rule and continue to review security report.

[aeisenberg]

With the above suggestion, you can choose to remove any single query from analysis.

Alternatively, if you just want to focus on security queries, you may just want to run security-extended queries. Just change: queries: security-and-quality to queries: security-extended.

[sungam3r]

I understand, thanks for your explanation, but I don't want to bother with manually crafted query suites (and their combinations) and maintain them updating to be in-sync with source. Please consider adding an option in workflows to exclude particular rules.

[aeisenberg]

Thank you for your suggestion. We will keep this under consideration.

[aeisenberg]

Will be fixed here: github/codeql-action#1098

[aeisenberg]

Available in next release of the codeql-action. Documentation still to come.

[sungam3r]

Thanks.

[scherersebastian]

So you have to create a separate file just to disable / exclude a query - @aeisenberg ?