repo sync

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md

@@ -388,7 +388,7 @@ You can also specify query suites in the value of `queries`. Query suites are co
 ``` yaml{:copy}
 - uses: {% data reusables.actions.action-codeql-action-init %}
   with:
-    # Comma-separated list of queries / packs / suites to run. 
+    # Comma-separated list of queries / packs / suites to run.
     # This may include paths or a built in suite, for example:
     # security-extended or security-and-quality.
     queries: security-extended
@@ -571,6 +571,48 @@ You can quickly analyze small portions of a monorepo when you modify code in spe
 
 {% data reusables.code-scanning.example-configuration-files %}
 
+{% ifversion code-scanning-config-input %}
+## Specifying configuration details using the `config` input
+
+If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file)" above.
+
+### Example configuration
+
+This step in a {% data variables.product.prodname_actions %} workflow file uses a `config` input to disable the default queries, add the `security-extended` query suite, and exclude queries that are tagged with `cwe-020`.
+
+```yaml
+- uses: {% data reusables.actions.action-codeql-action-init %}
+  with:
+    languages: {% raw %}${{ matrix.language }}{% endraw %}
+    config: |
+      disable-default-queries: true
+      queries:
+        - uses: security-extended
+      query-filters:
+        - exclude:
+          tags: /cwe-020/
+```
+
+You can use the same approach to specify any valid configuration options in the workflow file.
+
+{% tip %}
+
+**Tip:**
+
+You can share one configuration across multiple repositories using  {% data variables.product.prodname_actions %} variables. One benefit of this approach is that you can update the configuration in a single place without editing the workflow file.
+
+In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)."
+
+```yaml
+- uses: {% data reusables.actions.action-codeql-action-init %}
+  with:
+    languages: {% raw %}${{ matrix.language }}{% endraw %}
+    config: {% raw %}${{ vars.CODEQL_CONF }}{% endraw %}
+```
+
+{% endtip %}
+{% endif %}
+
 ## Configuring {% data variables.product.prodname_code_scanning %} for compiled languages
 
 {% data reusables.code-scanning.autobuild-compiled-languages %} {% data reusables.code-scanning.analyze-go %}

data/features/code-scanning-config-input.yml

@@ -0,0 +1,6 @@
+# Versions that support the `config` input in the `github/codeql-action/init@v2`` action
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.9'
+  ghae: '>3.9'