The school district hires a fire marshal to inspect every building each semester. By default, the marshal follows the official district checklist, covering every standard safety item. The school director, however, has the authority to hand the marshal a written instruction document before each inspection. If the director writes 'skip your standard checklist entirely; use only the custom checklist I am providing' on the first line, the marshal sets aside the official checklist and works solely from the director's document. This is exactly what setting disable-default-queries: true does in a CodeQL config file. If instead the director prefaces the custom checklist with 'add my custom checklist ON TOP of your standard one, do not replace it,' the marshal completes the full official checklist and then continues through the director's additions. In CodeQL, prefixing a query suite with a + symbol achieves this merged behavior. The config file itself is the written instruction document the director hands over. It can tell the marshal to annotate certain items as 'skip anything tagged low-risk classroom use,' which mirrors a query-filter with an exclude rule targeting specific query IDs or severity tags. Because the school has different specialists, the director can write separate instruction documents for the electrical inspector and the structural inspector. CodeQL's per-language configuration blocks work the same way: a nested packs map can give JavaScript a different set of query packs than Java. Finally, if the master instruction document is stored in a separate locked building across town, the marshal needs a special access token to retrieve it. A CodeQL config file stored in an external private repository requires an external-repository-token passed to the init action.
Both completely replace the built-in check set with a user-defined one, removing every default item from the run.
The + signals an additive merge: the default checklist runs first, then the extra items are appended, so nothing built-in is lost.
Both are prepared in advance, handed over at the start of the process, and govern what gets checked and what gets skipped during the entire inspection or scan.
Both mark specific checklist items as out of scope using a property tag, so the inspector or scanner processes everything else but quietly passes over the excluded entries.
Each specialist follows instructions tailored to their discipline; each CodeQL language analysis follows query-pack rules tailored to that language, without cross-contamination.
In both cases the authoritative instructions live outside the normal workspace, and the agent needs an explicit credential to fetch them before work can begin.
A CodeQL config file is the director's master instruction document: it controls whether the default checklist runs at all, which items are added or excluded, which specialists follow which rules, and where the document itself is stored.