github · mbg · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026
@@ -568,3 +568,24 @@ func EmitExtractionFailedForProjects(path []string) {
 		noLocation,
 	)
 }
+
+func EmitPrivateRegistryUsed(writer DiagnosticsWriter, configs []string) {
+	lines := []string{}
+
+	for i := range configs {
+		lines = append(lines, fmt.Sprintf("* %s", configs[i]))
+	}
+
+	emitDiagnosticTo(
+		writer,
+		"go/autobuilder/analysis-using-private-registries",
+		"Go extraction used private package registries",
+		fmt.Sprintf(
+			"Go was extracted using the following private package registr%s:\n\n%s\n",
+			plural(len(lines), "y", "ies"),
+			strings.Join(lines, "\n")),
+		severityNote,
+		fullVisibility,
+		noLocation,
+	)
+}
@@ -83,3 +83,46 @@ func Test_EmitCannotFindPackages_Actions(t *testing.T) {
 	// Custom build command suggestion
 	assert.Contains(t, d.MarkdownMessage, "If any of the packages are already present in the repository")
 }
+
+func Test_EmitPrivateRegistryUsed_Single(t *testing.T) {
+	writer := newMemoryDiagnosticsWriter()
+
+	testItems := []string{
+		"https://github.com/github/example (Git Source)",
+	}
+
+	EmitPrivateRegistryUsed(writer, testItems)
+
+	assert.Len(t, writer.diagnostics, 1, "Expected one diagnostic to be emitted")
+
+	d := writer.diagnostics[0]
+	assert.Equal(t, d.Source.Id, "go/autobuilder/analysis-using-private-registries")
+	assert.Equal(t, d.Severity, string(severityNote))
+	assert.Contains(t, d.MarkdownMessage, "following private package registry")
+
+	for i := range testItems {
+		assert.Contains(t, d.MarkdownMessage, testItems[i])
+	}
+}
+
+func Test_EmitPrivateRegistryUsed_Multiple(t *testing.T) {
+	writer := newMemoryDiagnosticsWriter()
+
+	testItems := []string{
+		"https://github.com/github/example (Git Source)",
+		"https://example.com/goproxy (GOPROXY Server)",
+	}
+
+	EmitPrivateRegistryUsed(writer, testItems)
+
+	assert.Len(t, writer.diagnostics, 1, "Expected one diagnostic to be emitted")
+
+	d := writer.diagnostics[0]
+	assert.Equal(t, d.Source.Id, "go/autobuilder/analysis-using-private-registries")
+	assert.Equal(t, d.Severity, string(severityNote))
+	assert.Contains(t, d.MarkdownMessage, "following private package registries")
+
+	for i := range testItems {
+		assert.Contains(t, d.MarkdownMessage, testItems[i])
+	}
+}
@@ -1,4 +1,4 @@
-package util
+package registries
 
 import (
 	"encoding/json"
@@ -8,6 +8,8 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/github/codeql-go/extractor/diagnostics"
 )
 
 const PROXY_HOST = "CODEQL_PROXY_HOST"
@@ -22,6 +24,19 @@ type RegistryConfig struct {
 	URL  string `json:"url"`
 }
 
+func (config *RegistryConfig) Pretty() string {
+	pretty_type := "other"
+
+	switch config.Type {
+	case GIT_SOURCE:
+		pretty_type = "Git Source"
+	case GOPROXY_SERVER:
+		pretty_type = "GOPROXY Server"
+	}
+
+	return fmt.Sprintf("`%s` (%s)", config.URL, pretty_type)
+}
+
 // The address of the proxy including protocol and port (e.g. http://localhost:1234)
 var proxy_address string
 
@@ -97,24 +112,40 @@ func getEnvVars() []string {
 		if err != nil {
 			slog.Error("Unable to parse proxy configurations", slog.String("error", err.Error()))
 		} else {
+			activeConfigs := []RegistryConfig{}
+
 			// We only care about private registry configurations that are relevant to Go and
 			// filter others out at this point.
 			for _, cfg := range val {
 				if cfg.Type == GOPROXY_SERVER {
 					goproxy_servers = append(goproxy_servers, cfg.URL)
 					slog.Info("Found GOPROXY server", slog.String("url", cfg.URL))
+					activeConfigs = append(activeConfigs, cfg)
 				} else if cfg.Type == GIT_SOURCE {
 					parsed, err := url.Parse(cfg.URL)
 					if err == nil && parsed.Hostname() != "" {
 						git_source := parsed.Hostname() + parsed.Path + "*"
 						git_sources = append(git_sources, git_source)
 						slog.Info("Found Git source", slog.String("source", git_source))
+						activeConfigs = append(activeConfigs, cfg)
 					} else {
 						slog.Warn("Not a valid URL for Git source", slog.String("url", cfg.URL))
 					}
 				}
 			}
 
+			// Emit a diagnostic to make it easy for users to see that private registry
+			// configurations were picked up by the Go analysis.
+			if len(activeConfigs) > 0 {
+				prettyConfigs := []string{}
+				for i := range activeConfigs {
+					prettyConfigs = append(prettyConfigs, activeConfigs[i].Pretty())
+				}
+
+				diagnostics.EmitPrivateRegistryUsed(diagnostics.DefaultWriter, prettyConfigs)
+			}
+
+			// Assemble environment variables for Go.
 			goprivate := []string{}
 
 			if len(goproxy_servers) > 0 {

@@ -1,4 +1,4 @@
-package util
+package registries
 
 import (
 	"testing"

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/github/codeql-go/extractor/registries"
 	"github.com/github/codeql-go/extractor/util"
 )
 
@@ -140,7 +141,7 @@ func SupportsWorkspaces() bool {
 // Constructs a `*exec.Cmd` for `go` with the specified arguments.
 func GoCommand(arg ...string) *exec.Cmd {
 	cmd := exec.Command("go", arg...)
-	util.ApplyProxyEnvVars(cmd)
+	registries.ApplyProxyEnvVars(cmd)
 	return cmd
 }