Merge pull request #165 from github/allow-additive-queries-in-workflow

Allow "additive" queries in workflow by prefixing with "+"

README.md

@@ -100,6 +100,22 @@ Use the `config-file` parameter of the `init` action to enable the configuration
 
 The configuration file must be located within the local repository. For information on how to write a configuration file, see "[Using a custom configuration](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#using-a-custom-configuration)."
 
+If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:
+
+```yaml
+- uses: github/codeql-action/init@v1
+  with:
+    queries: <local-or-remote-query>,<another-query>
+```
+
+By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:
+
+```yaml
+- uses: github/codeql-action/init@v1
+  with:
+    queries: +<local-or-remote-query>,<another-query>
+```
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).

init/action.yml

@@ -17,7 +17,7 @@ inputs:
     description: Path of the config file to use
     required: false
   queries:
-    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file
+    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
     required: false
 runs:
   using: 'node12'