Private registries in Code Scanning: Document new diagnostic features (#59947)

mbg · mchammer01 · web-flow · commit d1ebebdc78d6 · 2026-03-03T16:28:06.000Z
Co-authored-by: mc &lt;42146119+mchammer01@users.noreply.github.com&gt;
diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md
@@ -333,7 +333,7 @@ When you enable default setup for a repository that contains C# code, the build
 
 {% data variables.product.prodname_codeql %} restores dependencies and generates a few additional source files, to give more accurate results, before creating a database from all the source files and dependencies.
 
-Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %}
+Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %}
 
 The following generated source files are optional, but significantly increase the correctness of the {% data variables.product.prodname_codeql %} database:
 
@@ -464,7 +464,7 @@ If you later add Kotlin code to a repository that uses the `none` build mode, {%
 
 {% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java).
 
- {% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %}
+ {% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %}
 
 #### Accuracy of no build analysis for Java
 
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md
@@ -59,7 +59,9 @@ When you enable {% data variables.product.prodname_code_scanning %} default setu
 
 When configuring private registries for the first time, you need to disable and re-enable {% data variables.product.prodname_code_scanning %} default setup for any repositories that you want to use the new definition. New or modified configurations will be automatically picked up on subsequent runs.
 
-You can confirm whether private registries were used successfully by {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions log files, see [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).
+For languages supporting private package registries, {% data variables.product.prodname_code_scanning %} default setup will produce information on the {% data variables.code-scanning.tool_status_page %}. This shows you which private registry configurations were available to an analysis, but not whether {% data variables.product.prodname_code_scanning %} default setup was able to successfully download private dependencies from them. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page).
+
+Alternatively, you can confirm whether private registries were configured for a {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions logs. See [Diagnostic information for private package registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#diagnostic-information-for-private-package-registries).
 
 ## {% data variables.product.prodname_code_scanning_caps %} advanced setup access to private registries
 
diff --git a/content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md b/content/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs.md
@@ -75,9 +75,9 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r
 
 {% ifversion org-private-registry %}
 
-### Determining whether {% data variables.product.prodname_code_scanning %} default setup used any private registries
+### Diagnostic information for private package registries
 
-{% data variables.product.prodname_code_scanning_caps %} default setup workflows include a `Setup proxy for registries` step. When you are looking at a workflow run for default setup, you can expand this step to view the corresponding log and look for the following messages:
+{% data variables.product.prodname_code_scanning_caps %} default setup workflows include a `Setup proxy for registries` step. When you are looking at a workflow run for default setup, you can expand this step to view the corresponding log. This contains information about which private package registry configurations were available to the analysis. Additionally, the log contains some diagnostic information which may help with troubleshooting if the private package registries are not successfully used by {% data variables.product.prodname_code_scanning %} default setup. Look for the following messages:
 
 * `Using registries_credentials input.` At least one private registry is configured for the organization. This includes configurations for private registry types which are not supported by {% data variables.product.prodname_code_scanning %} default setup. For more details about supported registry types, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries).
 
@@ -86,6 +86,10 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r
   * Otherwise, one line for each supported configuration that was successfully loaded is shown. For example, a line containing `Type: nuget_feed; Host: undefined; Url: https://nuget.pkg.github.com/; Username: undefined; Password: true; Token: false` indicates that a private NuGet Feed configuration was loaded.
   * The information about the configuration in the log may not match exactly what is configured for the organization in the UI. For example, the log may indicate that a `Password` is set, even though a `Token` is configured in the UI.
 
+* `Proxy started on 127.0.0.1:49152` The authentication proxy that is used by {% data variables.product.prodname_code_scanning %} default setup to authenticate to the configured private package registries was started successfully.
+
+* Following this, there may be messages about the outcomes of connection tests which try to reach the configured private package registries through the authentication proxy. This is a best-effort process. If these checks are not successful for some registries, it does not necessarily mean that the relevant configurations are not working. However, if you find that {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries during the analysis, then this may provide some information to help troubleshoot the issue.
+
 If the output from the `Setup proxy for registries` step is as expected, but {% data variables.product.prodname_code_scanning %} default setup is unable to successfully access dependencies in the private registries, you can obtain additional troubleshooting information. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup).
 
 For more information about giving {% data variables.product.prodname_code_scanning %} default setup access to private registries, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries).
