Merge pull request #39705 from github/repo-sync

docs-bot · web-flow · commit 8b2baae608e9 · 2025-08-06T20:57:22.000-07:00
Repo sync
diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md
@@ -28,5 +28,6 @@ children:
   - /javascript-typescript-built-in-queries
   - /python-built-in-queries
   - /ruby-built-in-queries
+  - /rust-built-in-queries
   - /swift-built-in-queries
 ---
diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/rust-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/rust-built-in-queries.md
@@ -0,0 +1,23 @@
+---
+title: Rust queries for CodeQL analysis
+shortTitle: Rust CodeQL queries
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code written in Rust when you select the `default` or the `security-extended` query suite.'
+product: '{% data reusables.gated-features.codeql %}'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: reference
+topics:
+  - Code scanning
+  - CodeQL
+---
+
+{% data variables.product.prodname_codeql %} includes many queries for analyzing Rust code. {% data reusables.code-scanning.codeql-query-tables.query-suite-behavior %}
+
+## Built-in queries for Rust analysis
+
+{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
+
+{% data reusables.code-scanning.codeql-query-tables.rust %}
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret.md b/content/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret.md
@@ -102,7 +102,7 @@ all queries. It loads query help for /path/to/query.ql from the
 /path/to/query.md file. If this flag is not supplied the default
 behavior is to include help only for custom queries i.e. those in query
 packs which are not of the form \`codeql/\<lang\&rt;-queries\`. This
-option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+option has no effect when passed to codeql bqrs interpret.
 
 #### `--sarif-include-query-help=<mode>`
 
@@ -117,7 +117,7 @@ queries i.e. those in query packs which are not of the form
 
 `never`: Do not include query help for any queries.
 
-This option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+This option has no effect when passed to codeql bqrs interpret.
 
 Available since `v2.15.2`.
 
@@ -132,7 +132,7 @@ Available since `v2.18.1`.
 
 \[SARIF formats only] Place the rule object for each query under its
 corresponding QL pack in the `<run>.tool.extensions` property. This
-option has no effect when passed to [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
+option has no effect when passed to codeql bqrs interpret.
 
 #### `--[no-]sarif-multicause-markdown`
 
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md b/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md
@@ -122,6 +122,9 @@ predicates.
 `fit`: Simply make sure the defined size limits for the disk cache are
 observed, deleting as many intermediates as necessary.
 
+`overlay`: Trim to just the data that will be useful when evaluating
+against an overlay.
+
 #### `--cleanup-upgrade-backups`
 
 Delete any backup directories resulting from database upgrades.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-cleanup.md b/content/code-security/codeql-cli/codeql-cli-manual/database-cleanup.md
@@ -84,6 +84,9 @@ predicates.
 `fit`: Simply make sure the defined size limits for the disk cache are
 observed, deleting as many intermediates as necessary.
 
+`overlay`: Trim to just the data that will be useful when evaluating
+against an overlay.
+
 #### `--cleanup-upgrade-backups`
 
 Delete any backup directories resulting from database upgrades.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-create.md b/content/code-security/codeql-cli/codeql-cli-manual/database-create.md
@@ -286,6 +286,9 @@ predicates.
 `fit`: Simply make sure the defined size limits for the disk cache are
 observed, deleting as many intermediates as necessary.
 
+`overlay`: Trim to just the data that will be useful when evaluating
+against an overlay.
+
 #### `--cleanup-upgrade-backups`
 
 Delete any backup directories resulting from database upgrades.
@@ -311,7 +314,7 @@ configuration files that should work in most situations.
 
 \[Advanced] The directory in which the specified command should be
 executed. If this argument is not provided, the command is executed in
-the value of `--source-root` passed to [codeql database create](/code-security/codeql-cli/codeql-cli-manual/database-create), if one exists. If no `--source-root` argument is provided, the command is executed in the
+the value of `--source-root` passed to codeql database create, if one exists. If no `--source-root` argument is provided, the command is executed in the
 current working directory.
 
 #### `--no-run-unnecessary-builds`
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-finalize.md b/content/code-security/codeql-cli/codeql-cli-manual/database-finalize.md
@@ -143,6 +143,9 @@ predicates.
 `fit`: Simply make sure the defined size limits for the disk cache are
 observed, deleting as many intermediates as necessary.
 
+`overlay`: Trim to just the data that will be useful when evaluating
+against an overlay.
+
 #### `--cleanup-upgrade-backups`
 
 Delete any backup directories resulting from database upgrades.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-init.md b/content/code-security/codeql-cli/codeql-cli-manual/database-init.md
@@ -264,7 +264,7 @@ will use all the values provided, in order. Extractor options specified
 using this command-line option are processed after extractor options
 given via `--extractor-options-file`.
 
-When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
+When passed to codeql database init or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
 [codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
@@ -290,7 +290,7 @@ will use all the values provided, in order. Extractor options specified
 using this command-line option are processed before extractor options
 given via `--extractor-option`.
 
-When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
+When passed to codeql database init or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
 [codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md b/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md
@@ -37,7 +37,7 @@ the results subdirectory of the database directory.
 The results can later be converted to readable formats by [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results), or query-for-query by with [codeql bqrs decode](/code-security/codeql-cli/codeql-cli-manual/bqrs-decode) or [codeql bqrs interpret](/code-security/codeql-cli/codeql-cli-manual/bqrs-interpret).
 
 If your queries produce results in a form that can be interpreted as
-source-code alerts, you may find [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) a more convenient way to run them. [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) combines [codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) with [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results) in a single step. In particular, [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) can produce output in the SARIF format, which can be used with an variety of alert viewers.
+source-code alerts, you may find [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) a more convenient way to run them. [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) combines codeql database run-queries with [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results) in a single step. In particular, [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) can produce output in the SARIF format, which can be used with an variety of alert viewers.
 
 Alternatively, if you have only a single query to run, you might prefer
 [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run), which can display human-readable output for quick inspection of results while you're debugging.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-trace-command.md b/content/code-security/codeql-cli/codeql-cli-manual/database-trace-command.md
@@ -99,7 +99,7 @@ configuration files that should work in most situations.
 In addition to the specified command, run the main script for extractors
 that don't depend on tracing a build process. If you're constructing
 databases for several languages with `--db-cluster`, this option should
-be given to exactly one invocation of [codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command).
+be given to exactly one invocation of codeql database trace-command.
 
 #### `--[no-]use-build-mode`
 
@@ -144,7 +144,7 @@ given via `--extractor-options-file`.
 When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
-[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
+codeql database trace-command then the options also need to be passed there if desired.
 
 See <https://codeql.github.com/docs/codeql-cli/extractor-options> for
 more information on CodeQL extractor options, including how to list the
@@ -170,7 +170,7 @@ given via `--extractor-option`.
 When passed to [codeql database init](/code-security/codeql-cli/codeql-cli-manual/database-init) or `codeql database begin-tracing`, the options will only be
 applied to the indirect tracing environment. If your workflow also makes
 calls to
-[codeql database trace-command](/code-security/codeql-cli/codeql-cli-manual/database-trace-command) then the options also need to be passed there if desired.
+codeql database trace-command then the options also need to be passed there if desired.
 
 See <https://codeql.github.com/docs/codeql-cli/extractor-options> for
 more information on CodeQL extractor options, including how to list the
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup.md b/content/code-security/codeql-cli/codeql-cli-manual/dataset-cleanup.md
@@ -82,6 +82,9 @@ predicates.
 `fit`: Simply make sure the defined size limits for the disk cache are
 observed, deleting as many intermediates as necessary.
 
+`overlay`: Trim to just the data that will be useful when evaluating
+against an overlay.
+
 #### `--cleanup-upgrade-backups`
 
 Delete any backup directories resulting from database upgrades.
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/dataset-import.md b/content/code-security/codeql-cli/codeql-cli-manual/dataset-import.md
@@ -96,7 +96,7 @@ takes up a lot of space in the dataset.
 
 #### `--[no-]linkage-aware-import`
 
-\[Advanced] Controls whether [codeql dataset import](/code-security/codeql-cli/codeql-cli-manual/dataset-import) is linkage-aware _(default)_ or not. On projects where this part of database creation
+\[Advanced] Controls whether codeql dataset import is linkage-aware _(default)_ or not. On projects where this part of database creation
 consumes too much memory, disabling this option may help them progress
 at the expense of database completeness.
 
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md b/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md
@@ -32,7 +32,7 @@ codeql execute queries [--output=<dir|file.bqrs>] [--threads=<num>] <options>...
 \[Plumbing] Run one or more queries against a dataset.
 
 This command should not normally be invoked directly. Instead use either
-[codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run), which will start [codeql execute queries](/code-security/codeql-cli/codeql-cli-manual/execute-queries) with specific JVM options to tune the performance of the QL evaluator.
+[codeql database run-queries](/code-security/codeql-cli/codeql-cli-manual/database-run-queries) or [codeql query run](/code-security/codeql-cli/codeql-cli-manual/query-run), which will start codeql execute queries with specific JVM options to tune the performance of the QL evaluator.
 
 ## Options
 
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/execute-query-server.md b/content/code-security/codeql-cli/codeql-cli-manual/execute-query-server.md
@@ -32,7 +32,7 @@ codeql execute query-server <options>...
 \[Deprecated] \[Plumbing] Support for running queries from IDEs.
 
 The
-[codeql execute query-server](/code-security/codeql-cli/codeql-cli-manual/execute-query-server) subcommand is unsupported and no longer works. If you are using the official CodeQL extension for Visual Studio Code, please upgrade the extension to 1.7.6 or a later version. Otherwise please migrate your CodeQL IDE integration to the `codeql execute query-server2` subcommand.
+codeql execute query-server subcommand is unsupported and no longer works. If you are using the official CodeQL extension for Visual Studio Code, please upgrade the extension to 1.7.6 or a later version. Otherwise please migrate your CodeQL IDE integration to the `codeql execute query-server2` subcommand.
 
 ## Options
 
diff --git a/content/code-security/codeql-cli/codeql-cli-manual/test-run.md b/content/code-security/codeql-cli/codeql-cli-manual/test-run.md
@@ -275,7 +275,7 @@ timed parts are "RA layers" of the optimized query, but that might
 change in the future.
 
 If no timeout is specified, or is given as 0, no timeout will be set
-(except for [codeql test run](/code-security/codeql-cli/codeql-cli-manual/test-run), where the default timeout is 5 minutes).
+(except for codeql test run, where the default timeout is 5 minutes).
 
 #### `-j, --threads=<num>`
 
diff --git a/data/reusables/code-scanning/codeql-query-tables/rust.md b/data/reusables/code-scanning/codeql-query-tables/rust.md
@@ -0,0 +1,17 @@
+{% rowheaders %}
+
+| Query name | Related CWEs | Default | Extended | {% data variables.copilot.copilot_autofix_short %} |
+| --- | --- | --- | --- | --- |
+| [Access of invalid pointer](https://codeql.github.com/codeql-query-help/rust/rust-access-invalid-pointer/) | 476, 825 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Cleartext logging of sensitive information](https://codeql.github.com/codeql-query-help/rust/rust-cleartext-logging/) | 312, 359, 532 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Cleartext transmission of sensitive information](https://codeql.github.com/codeql-query-help/rust/rust-cleartext-transmission/) | 319 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/rust/rust-sql-injection/) | 089 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Hard-coded cryptographic value](https://codeql.github.com/codeql-query-help/rust/rust-hard-coded-cryptographic-value/) | 259, 321, 798, 1204 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Regular expression injection](https://codeql.github.com/codeql-query-help/rust/rust-regex-injection/) | 020, 074 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Uncontrolled allocation size](https://codeql.github.com/codeql-query-help/rust/rust-uncontrolled-allocation-size/) | 770, 789 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/rust/rust-path-injection/) | 022, 023, 036, 073, 099 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/rust/rust-weak-cryptographic-algorithm/) | 327 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/rust/rust-weak-sensitive-data-hashing/) | 327, 328, 916 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Access of a pointer after its lifetime has ended](https://codeql.github.com/codeql-query-help/rust/rust-access-after-lifetime-ended/) | 825 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+
+{% endrowheaders %}
