codeql
SKILL.md
CodeQL Static Analysis
When to Use CodeQL
Ideal scenarios:
- Source code access with ability to build (for compiled languages)
- Open-source projects or GitHub Advanced Security license
- Need for interprocedural data flow and taint tracking
- Finding complex vulnerabilities requiring AST/CFG analysis
- Comprehensive security audits where analysis time is not critical
Consider Semgrep instead when:
- No build capability for compiled languages
- Licensing constraints
- Need fast, lightweight pattern matching
- Simple, single-file analysis is sufficient
Why Interprocedural Analysis Matters
Simple grep/pattern tools only see one function at a time. Real vulnerabilities often span multiple functions:
HTTP Handler → Input Parser → Business Logic → Database Query
↓ ↓ ↓ ↓
source transforms passes sink (SQL)
CodeQL tracks data flow across all these steps. A tainted input in the handler can be traced through 5+ function calls to find where it reaches a dangerous sink.
Installation
CodeQL CLI
# macOS/Linux (Homebrew)
brew install --cask codeql
# Update
brew upgrade codeql
Trail of Bits Queries (Optional)
# Download ToB query packs
codeql pack download trailofbits/cpp-queries trailofbits/go-queries
# Verify installation
codeql resolve qlpacks | grep trailofbits
Core Workflow
1. Create Database
codeql database create codeql.db --language=<LANG> [--command='<BUILD>'] --source-root=.
| Language | --language= |
Build Required |
|---|---|---|
| Python | python |
No |
| JavaScript/TypeScript | javascript |
No |
| Go | go |
No |
| Rust | rust |
Yes (--command='cargo build') |
| Java/Kotlin | java |
Yes (--command='./gradlew build') |
| C/C++ | cpp |
Yes (--command='make -j8') |
2. Run Analysis
# SARIF output (recommended)
codeql database analyze codeql.db \
--format=sarif-latest \
--output=results.sarif \
-- codeql/python-queries:codeql-suites/python-security-extended.qls
# With Trail of Bits queries
codeql database analyze codeql.db \
--format=sarif-latest \
--output=results.sarif \
-- trailofbits/go-queries
Writing Custom Queries
Basic Template
/**
* @name Find SQL injection vulnerabilities
* @description Identifies potential SQL injection from user input
* @kind path-problem
* @problem.severity error
* @security-severity 9.0
* @precision high
* @id py/sql-injection
* @tags security
* external/cwe/cwe-089
*/
import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// Define taint sources (user input)
exists(source)
}
predicate isSink(DataFlow::Node sink) {
// Define dangerous sinks (SQL execution)
exists(sink)
}
}
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink
where SqlInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "SQL injection from $@.", source.getNode(), "user input"
Query Metadata
| Field | Description | Values |
|---|---|---|
@kind |
Query type | problem, path-problem |
@problem.severity |
Issue severity | error, warning, recommendation |
@security-severity |
CVSS score | 0.0 - 10.0 |
@precision |
Confidence | very-high, high, medium, low |
CI/CD Integration (GitHub Actions)
name: CodeQL Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
language: ['python', 'javascript']
steps:
- uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended, security-and-quality
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Troubleshooting
| Issue | Solution |
|---|---|
| Database creation fails | Clean build environment, verify build command works independently |
| Slow analysis | Use --threads, narrow query scope, check query complexity |
| Missing results | Check file exclusions, verify source files were parsed |
| Out of memory | Set CODEQL_RAM=48000 environment variable (48GB) |
Rationalizations to Reject
| Shortcut | Why It's Wrong |
|---|---|
| "No findings means the code is secure" | CodeQL only finds patterns it has queries for |
| "This code path looks safe" | Complex data flow can hide vulnerabilities across 5+ function calls |
| "Small change, low risk" | Small changes can introduce critical bugs; run full analysis |
| "The query didn't flag it" | Default query suites don't cover everything; check custom queries |
Resources
- Docs: https://codeql.github.com/docs/
- Query Help: https://codeql.github.com/codeql-query-help/
- Security Lab: https://securitylab.github.com/
- Trail of Bits Queries: https://github.com/trailofbits/codeql-queries
Attribution
Based on trailofbits/skills codeql skill.
Weekly Installs
3
Repository
5dlabs/ctoFirst Seen
Jan 24, 2026
Installed on
claude-code2
windsurf1
trae1
opencode1
codex1
antigravity1