Which components are typically included in a GitHub Advanced Security Code Scanning workflow file?

The idea being tested is that GitHub Advanced Security code scanning is implemented as a GitHub Actions workflow written in YAML. A typical workflow file triggers on pushes and pull requests so analyses run for each change, checks out the repository to access the code, sets up CodeQL (the analysis engine), runs the analysis with codeql analyze, and then uploads the results in SARIF format back to GitHub. This SARIF upload is what feeds GitHub’s code scanning UI, letting alerts appear under the Security tab and in PR reviews. This workflow pattern—YAML-defined, event-triggered, code checkout, CodeQL setup, code analysis, and SARIF upload—is how code scanning is designed to operate within GitHub. HTML reports aren’t used by GitHub to surface scanning results, a standalone shell script wouldn’t integrate into GitHub’s code scanning experience, and a JSON manifest doesn’t constitute the actual workflow or result delivery used by code scanning.