require-codeql-category-when-language-matrix

Rule catalog ID: R114

Targeted pattern scope

CodeQL analyze steps inside jobs that use a CodeQL language matrix (strategy.matrix.language or strategy.matrix.include[*].language).

What this rule reports

This rule reports CodeQL analyze steps that do not set with.category to include matrix.language when the job uses a language matrix.

Why this rule exists

When CodeQL runs in a language matrix, the SARIF category is the easiest way to keep uploads distinct and understandable in the code scanning UI. Requiring a matrix-aware category helps avoid ambiguous result grouping.

❌ Incorrect

- uses: github/codeql-action/analyze@v4

✅ Correct

- uses: github/codeql-action/analyze@v4
  with:
    category: /language:${{ matrix.language }}

Additional examples

This rule only applies when the job uses a language matrix dimension. Single-language CodeQL jobs are ignored.

ESLint flat config example

import githubActions from "eslint-plugin-github-actions-2";

export default [githubActions.configs.codeScanning];

When not to use it

Disable this rule if your repository intentionally accepts a shared category across matrix jobs and that grouping has already been reviewed.

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Additional examples​

ESLint flat config example​

When not to use it​

Further reading​