jorgectf
diff --git a/‎docs/codeql/codeql-cli/about-codeql-packs.rst
Lines changed: 104 additions & 0 deletions b/‎docs/codeql/codeql-cli/about-codeql-packs.rst
Lines changed: 104 additions & 0 deletions
diff --git a/‎docs/codeql/codeql-cli/about-ql-packs.rst
Lines changed: 1 addition & 1 deletion b/‎docs/codeql/codeql-cli/about-ql-packs.rst
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Lines changed: 51 additions & 26 deletions b/‎docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Lines changed: 51 additions & 26 deletions
diff --git a/‎docs/codeql/codeql-cli/codeql-cli-reference.rst
Lines changed: 2 additions & 0 deletions b/‎docs/codeql/codeql-cli/codeql-cli-reference.rst
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,104 @@
+.. _about-codeql-packs:
+
+About CodeQL packs
+==================
+
+.. include:: ../reusables/beta-note-package-management.rst
+
+CodeQL packs are used to create, share, depend on, and run CodeQL queries and libraries. You can publish your own CodeQL packs and download packs created by others. CodeQL packs contain queries, library files, query suites, and metadata.
+
+There are two types of CodeQL packs: query packs and library packs.
+
+* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
+* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
+
+You can use the package management commands in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. For more information, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`." You can also publish and download CodeQL packs using the CodeQL CLI. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
+
+CodeQL pack structure
+---------------------
+
+A CodeQL pack must contain a file called ``qlpack.yml`` in its root directory. In the ``qlpack.yml`` file, the ``name:`` field must have a value that follows the format of ``<scope>/<pack>``, where ``<scope>`` is the GitHub organization or user account that the pack will be published to and ``<pack>`` is the name of the pack. The other
+files and directories within the pack should be logically organized. For example, typically:
+
+- Queries are organized into directories for specific categories.
+- Queries for specific products, libraries, and frameworks are organized into
+  their own top-level directories.
+
+About ``qlpack.yml`` files
+--------------------------
+
+When executing query-related commands, CodeQL first looks in siblings of the installation directory (and their subdirectories) for ``qlpack.yml`` files. 
+Then it checks the package cache for CodeQL packs which have been downloaded. This means that when you are developing queries locally, the local packages 
+in the installation directory override packages of the same name in the package cache, so that you can test your local changes.
+
+The metadata in each `qlpack.yml`` file tells
+CodeQL how to compile any queries in the pack, what libraries the pack depends on, and where to
+find query suite definitions.
+
+The contents of the CodeQL pack (queries or libraries used in CodeQL analysis) is
+included in the same directory as ``qlpack.yml``, or its subdirectories.
+
+The location of ``qlpack.yml`` defines the library path for the content
+of the CodeQL pack. That is, for all ``.ql`` and ``.qll`` files in the pack,
+CodeQL will resolve all import statements relative to the ``qlpack.yml`` at the
+pack's root.
+
+.. _codeqlpack-yml-properties:
+
+``qlpack.yml`` properties
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following properties are supported in ``qlpack.yml`` files.
+
+.. list-table::
+   :header-rows: 1
+   :widths: auto
+
+   * - Property
+     - Example
+     - Required
+     - Purpose
+   * - ``name``
+     - ``octo-org/security-queries``
+     - All packs
+     - The scope, where the CodeQL pack is published, and the name of the pack defined using alphanumeric characters and hyphens. It must be unique as CodeQL cannot differentiate between CodeQL packs with identical names. Name components cannot start or end with a hyphen. Additionally, a period is not allowed in pack names at all. Use the pack name to specify queries to run using ``database analyze`` and to define dependencies between QL packs (see examples below).
+   * - ``version``
+     - ``0.0.0``
+     - All packs
+     - A version range for this CodeQL pack. This must be a valid semantic version that meets the `SemVer v2.0.0 specification <https://semver.org/spec/v2.0.0.html>`__.
+   * - ``dependencies``
+     - ``codeql/javascript-all: ^1.2.3``
+     - Optional
+     - The names and version ranges of any CodeQL packs that this pack depends on, as a mapping. This gives the pack access to any libraries, database schema, and query suites defined in the dependency. For more information, see `SemVer ranges <https://docs.npmjs.com/cli/v6/using-npm/semver#ranges>`__ in the NPM documentation.
+   * - ``suites``
+     - ``octo-org-query-suites``
+     - Optional
+     - The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. This is not supported for CodeQL packs downloaded from a package registry. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
+   * - ``extractor``
+     - ``javascript``
+     - All test packs
+     - The CodeQL language extractor to use when the CLI creates a database in the pack. For more information about testing queries, see ":doc:`Testing custom queries <testing-custom-queries>`."
+   * - ``tests``
+     - ``.``
+     - Optional for test packs
+     - The path to a directory within the pack that contains tests, defined relative to the pack directory. Use ``.`` to specify the whole pack. Any queries in this directory are run as tests when ``test run`` is run with the ``--strict-test-discovery`` option. These queries are ignored by query suite definitions that use ``queries`` or ``qlpack``    instructions to ask for all queries in a particular pack.
+   * - ``dbscheme``
+     - ``semmlecode.python.dbscheme``
+     - Core language packs only
+     - The path to the :ref:`database schema <codeql-database-schema>` for all libraries and queries written for this CodeQL language (see example below).
+   * - ``upgrades``
+     - ``.``
+     - Core language packs only
+     - The path to a directory within the pack that contains upgrade scripts, defined relative to the pack directory. The ``database upgrade`` action uses these scripts to update databases that were created by an older version of an extractor so they're compatible with the current extractor (see `Upgrade scripts for a language <#upgrade-scripts-for-a-language>`__ below.)
+   * - ``authors``
+     - ``[email protected]``
+     - All packs
+     - Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.
+   * - ``licenses``
+     - ``(LGPL-2.1 AND MIT)``
+     - All packs
+     - Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to. For a list of allowed licenses, see `SPDX License List <https://spdx.org/licenses/>`__ in the SPDX Specification. 
+   * - ``description``
+     - ``Human-readable description of the contents of the CodeQL pack.``
+     - All packs
+     - Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.
@@ -87,7 +87,7 @@ The following properties are supported in ``qlpack.yml`` files.
    * - ``suites``
      - ``suites``
      - Optional
-     - The path to a directory that contains the "well-known" query suites in the pack, defined relative to the pack directory. You can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. To use query suites stored in other directories in the pack, you must provide their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
+     - The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
    * - ``extractor``
      - ``javascript``
      - All test packs
 
@@ -16,9 +16,9 @@ For information about writing queries to run with ``database analyze``, see
 Before starting an analysis you must:
 
 - :doc:`Set up the CodeQL CLI <getting-started-with-the-codeql-cli>` so that it can find the queries
-  and libraries included in the CodeQL repository. 
-- :doc:`Create a CodeQL database <creating-codeql-databases>` for the source 
-  code you want to analyze. 
+  and libraries included in the CodeQL repository.
+- :doc:`Create a CodeQL database <creating-codeql-databases>` for the source
+  code you want to analyze.
 
 
 Running ``codeql database analyze``
@@ -65,7 +65,7 @@ You can also specify:
 - .. include:: ../reusables/threads-query-execution.rst
 
 
-.. pull-quote:: 
+.. pull-quote::
 
    Upgrading databases
 
@@ -94,36 +94,52 @@ Running a single query
 To run a single query over a CodeQL database for a JavaScript codebase,
 you could use the following command from the directory containing your database::
 
-   codeql database analyze <javascript-database> ../ql/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=js-analysis/js-results.csv 
+   codeql database analyze <javascript-database> ../ql/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=js-analysis/js-results.csv
 
 This command runs a simple query that finds potential bugs related to unused
 variables, imports, functions, or classes---it is one of the JavaScript
 queries included in the CodeQL repository. You could run more than one query by
 specifying a space-separated list of similar paths.
 
 The analysis generates a CSV file (``js-results.csv``) in a new directory
-(``js-analysis``).  
+(``js-analysis``).
 
 You can also run your own custom queries with the ``database analyze`` command.
 For more information about preparing your queries to use with the CodeQL CLI,
 see ":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`."
 
-Running GitHub code scanning suites
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Running a CodeQL pack
+~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../reusables/beta-note-package-management.rst
+
+To run an existing CodeQL query pack from the GitHub Container registry, you need to download it first::
+
+   codeql pack download microsoft/[email protected]
+
+Afterwards, you can run the pack on a specific database::
+
+   codeql database analyze <database> microsoft/[email protected] <scope>/<other-pack> --format=sarifv2.1.0 --output=query-results.sarif
+
+The ``analyze`` command above runs the default suite from ``microsoft/coding-standards v1.0.0`` and the latest version of ``scope/other-pack`` on the specified database.
+For further information about default suites, see ":ref:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`".
 
-To run the GitHub code scanning suite of queries over a CodeQL database for a C/C++ codebase, 
+Running query suites
+~~~~~~~~~~~~~~~~~~~~
+
+To run a query suite over a CodeQL database for a C/C++ codebase,
 you could use the following command from the directory containing your database::
 
    codeql database analyze <cpp-database> cpp-code-scanning.qls --format=sarifv2.1.0 --output=cpp-results.sarif
 
 The analysis generates a file in the v2.1.0 SARIF format that is supported by all versions of GitHub.
-This file can be uploaded to GitHub using ``github upload-results`` or the code scanning API.
-For more information, see `Analyzing a CodeQL database <https://docs.github.com/en/code-security/secure-coding/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__ 
+This file can be uploaded to GitHub by executing ``codeql github upload-results`` or the code scanning API.
+For more information, see `Analyzing a CodeQL database <https://docs.github.com/en/code-security/secure-coding/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__
 or `Code scanning API <https://docs.github.com/en/rest/reference/code-scanning>`__ in the GitHub documentation.
 
-CodeQL query suites are ``.qls`` files that use directives to select queries to run 
+CodeQL query suites are ``.qls`` files that use directives to select queries to run
 based on certain metadata properties. The standard QL packs have metadata that specify
-the location of the code scanning suites, so the CodeQL CLI knows where to find these 
+the location of the query suites used by code scanning, so the CodeQL CLI knows where to find these
 suite files automatically, and you don't have to specify the full path on the command line.
 For more information, see ":ref:`About QL packs <standard-ql-packs>`."
 
@@ -137,7 +153,7 @@ and at the following path in the CodeQL for Go repository::
    ql/src/codeql-suites/go-code-scanning.qls
 
 The repository also includes the query suites used by `LGTM.com <https://lgtm.com>`__.
-These are stored alongside the code scanning suites with names of the form: ``<language>-lgtm.qls``.
+These are stored alongside the query suites for code scanning with names of the form: ``<language>-lgtm.qls``.
 
 For information about creating custom query suites, see ":doc:`Creating
 CodeQL query suites <creating-codeql-query-suites>`."
@@ -149,12 +165,21 @@ When you create a CodeQL database, the extractor stores diagnostic data in the d
 
 If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
 
+Integrating a CodeQL pack into a code scanning workflow in GitHub
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../reusables/beta-note-package-management.rst
+
+You can use CodeQL query packs in your Code Scanning setup. This allows you to select query packs published by various sources and use them to analyze your code. 
+For more information, see "`Using CodeQL query packs in the CodeQL action <https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-codeql-query-packs/>`_" or "`Downloading and using CodeQL query packs in your CI system <https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#downloading-and-using-codeql-query-packs>`_."
+
+
 Running all queries in a directory
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 You can run all the queries located in a directory by providing the directory
 path, rather than listing all the individual query files. Paths are searched
-recursively, so any queries contained in subfolders will also be executed. 
+recursively, so any queries contained in subfolders will also be executed.
 
 .. pull-quote::
 
@@ -164,12 +189,12 @@ recursively, so any queries contained in subfolders will also be executed.
    <about-ql-packs>` when executing ``database analyze``
    as it contains some special queries that aren't designed to be used with
    the command. Rather, to run a wide range of useful queries, run one of the
-   LGTM.com query suites. 
-   
+   LGTM.com query suites.
+
 For example, to execute all Python queries contained in the ``Functions``
 directory you would run::
 
-   codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif 
+   codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif
 
 A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures
 that the results are formatted according to the most recent SARIF specification
@@ -196,19 +221,19 @@ corresponds to an alert. Each line is a comma-separated list with the following
      - Description
      - Example
    * - Name
-     - Name of the query that identified the result. 
+     - Name of the query that identified the result.
      - ``Inefficient regular expression``
    * - Description
-     - Description of the query. 
-     - ``A regular expression that requires exponential time to match certain 
-       inputs can be a performance bottleneck, and may be vulnerable to 
+     - Description of the query.
+     - ``A regular expression that requires exponential time to match certain
+       inputs can be a performance bottleneck, and may be vulnerable to
        denial-of-service attacks.``
    * - Severity
      - Severity of the query.
      - ``error``
    * - Message
-     - Alert message. 
-     - ``This part of the regular expression may cause exponential backtracking 
+     - Alert message.
+     - ``This part of the regular expression may cause exponential backtracking
        on strings containing many repetitions of '\\\\'.``
    * - Path
      - Path of the file containing the alert.
@@ -225,14 +250,14 @@ corresponds to an alert. Each line is a comma-separated list with the following
        included when the same value as the start line.
      - ``64``
    * - End column
-     - Where available, the column of the end line that marks the end of the 
+     - Where available, the column of the end line that marks the end of the
        alert code. Otherwise the end line is repeated.
      - ``617``
 
 Results files can be integrated into your own code-review or debugging
 infrastructure. For example, SARIF file output can be used to highlight alerts
 in the correct location in your source code using a SARIF viewer plugin for your
-IDE. 
+IDE.
 
 Further reading
 ---------------
 
@@ -9,12 +9,14 @@ Learn more about the files you can use when running CodeQL processes and the res
    :titlesonly:
    :hidden:
 
+   about-codeql-packs
    about-ql-packs
    query-reference-files
    sarif-output
    exit-codes
 
 
+- :doc:`About CodeQL packs <about-codeql-packs>`: CodeQL packs are created with the CodeQL CLI and are used to create, depend on, publish, and run CodeQL queries and libraries.
 - :doc:`About QL packs <about-ql-packs>`: QL packs are used to organize the files used in CodeQL analysis. They
   contain queries, library files, query suites, and important metadata. 
 - :doc:`Query reference files <query-reference-files>`: A query reference file is text file that defines the location of one query to test.