{"id":15447,"url":"https://github.com/advanced-security/awesome-codeql","name":"awesome-codeql","description":"A curated list of awesome CodeQL resources.","projects_count":89,"last_synced_at":"2026-06-17T22:00:22.732Z","repository":{"id":147630129,"uuid":"611843955","full_name":"advanced-security/awesome-codeql","owner":"advanced-security","description":"A curated list of awesome CodeQL resources.","archived":false,"fork":false,"pushed_at":"2026-05-28T12:38:36.000Z","size":236,"stargazers_count":86,"open_issues_count":1,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-06-01T06:04:19.600Z","etag":null,"topics":["awesome","awesome-list","github-advanced-security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-03-09T16:54:52.000Z","updated_at":"2026-05-28T12:38:40.000Z","dependencies_parsed_at":"2024-01-09T20:48:32.014Z","dependency_job_id":"637bb8bb-bbaf-47e5-a2b5-326bc08753dd","html_url":"https://github.com/advanced-security/awesome-codeql","commit_stats":null,"previous_names":["advanced-security/awesome-codeql"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/advanced-security/awesome-codeql","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fawesome-codeql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fawesome-codeql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fawesome-codeql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fawesome-codeql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/awesome-codeql/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fawesome-codeql/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34466929,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-17T02:00:05.408Z","response_time":127,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2024-01-13T12:53:44.152Z","updated_at":"2026-06-17T22:00:22.733Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Why","CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)","CodeQL Queries/Bundles","CodeQL Query Suites","CodeQL Troubleshooting","CodeQL Actions Helpers","CodeQL SARIF","CodeQL Containers","CodeQL Samples","CodeQL Configuration Documentation","CodeQL Query Writing Documentation","CodeQL Query Writing","CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))","Getting Started","CodeQL Installers","CodeQL CLI Tooling","CodeQL Customizations","CodeQL Tooling (Bundles + Packs)","CodeQL Monorepo Actions Samples","CodeQL Enforcement","CodeQL Extractors","Customization \u0026 Query Development","CodeQL Libraries","CodeQL Extractor Helpers","Tooling \u0026 Environment"],"sub_categories":["YouTube learning","Documentation","CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))","Blogs","CodeQL Extractors","CodeQL AI \u0026 LLM Tooling","CodeQL CLI Tooling","Custom Modeling"],"readme":"# Awesome Codeql [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003e A curated list of CodeQL resources.\n\n## Contents\n\n- [Getting Started](#getting-started)\n- [Tooling \u0026 Environment](#tooling--environment)\n- [GitHub Actions \u0026 CI/CD](#github-actions--cicd)\n- [Customization \u0026 Query Development](#customization--query-development)\n- [Troubleshooting](#troubleshooting)\n- [Contributing](#contributing)\n\n---\n\n## Getting Started\n\nResources for learning CodeQL, from beginner guides to official documentation.\n\n\n### CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))\n\n- [skills/introduction-to-codeql](https://github.com/skills/introduction-to-codeql) - Interactive GitHub Skills course teaching how to enable code scanning, review alerts, and fix vulnerabilities using CodeQL\n- [skills/secure-code-game](https://github.com/skills/secure-code-game) - Hands-on security training game where you identify and fix vulnerabilities in real code across multiple programming languages\n- [CodeQL Learning Catalog](https://codeql-learning-catalog.github.com/) - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.\n- [GitHub Security Lab](https://securitylab.github.com/get-involved/) - From trying out CodeQL to secure your own code to collecting bug bounties by securing others', here are a few ways we can keep the world's software safe, together.\n- [testing-handbook](https://github.com/trailofbits/testing-handbook) - The [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/codeql/) is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools used at Trail of Bits.\n- [ReadMe Project - CodeQL Query Writing](https://github.com/readme/guides/custom-codeql-queries) - A beginner’s guide to running and managing custom CodeQL queries\n\n### Documentation\n\n- [How to write CodeQL Queries](https://codeql.github.com/docs/writing-codeql-queries)\n- [CodeQL Language Guide](https://codeql.github.com/docs/codeql-language-guides)\n- [QL Language reference](https://codeql.github.com/docs/ql-language-reference)\n- [CodeQL Standard Libraries](https://codeql.github.com/codeql-standard-libraries)\n- [CodeQL Query Help](https://codeql.github.com/codeql-query-help)\n- [Full CodeQL Documentation](https://codeql.github.com/docs/)\n- [CodeQL Custom Configuration File](https://gist.github.com/bthomas2622/e520926b88ebb93e79b30f7f32ed4849)\n\n\n### Blogs\n\n- [GitHub - CodeQL zero to hero series](https://github.blog/developer-skills/github/codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/)\n- [GitHub - How GitHub uses CodeQL to secure GitHub](https://github.blog/engineering/how-github-uses-codeql-to-secure-github/)\n\n### YouTube learning\n\n- [Find bugs in your code with CodeQL](https://www.youtube.com/live/y_-pIbsr7jc?\u0026t=310)\n- [Finding security vulnerabilities in JavaScript with CodeQL](https://www.youtube.com/watch?v=pYzfGaLTqC0)\n- [Finding security vulnerabilities in Java with CodeQL](https://www.youtube.com/watch?v=nvCd0Ee4FgE)\n- [Finding security vulnerabilities in C/C++ with CodeQL](https://www.youtube.com/watch?v=eAjecQrfv3o\u0026t=98s)\n- [CodeQL as an Audit Oracle](https://www.youtube.com/watch?v=-bJ2Ioi7Icg\u0026t=8s)\n\n---\n\n## Tooling \u0026 Environment\n\nEverything you need to install, run, and view CodeQL results locally or in containers.\n\n### CodeQL Installers\n\n- [github/gh-codeql](https://github.com/github/gh-codeql) - `gh codeql` GitHub CLI Extension for CodeQL to help manage installation\n- [advanced-security/grab_ql](https://github.com/advanced-security/grab_ql) - Grab some/all of CodeQL CLI binary, QL library, VSCode starter workspace, VSCode and VSCode QL extension\n- [david-wiggs/codeql-anywhere](https://github.com/david-wiggs/codeql-anywhere) - Put the power of CodeQL in your pocket, take it with you to any CI 🚀\n- [GitHubSecurityLab/codeql-jupyter-kernel](https://github.com/GitHubSecurityLab/codeql-jupyter-kernel) - Jupyter Kernel for CodeQL\n- [Homebrew/homebrew-cask](https://github.com/Homebrew/homebrew-cask/blob/master/Casks/c/codeql.rb) - Homebrew cask to install the CodeQL CLI `brew install --cask codeql`\n\n### CodeQL CLI Tooling\n\n- [github/gh-codeql](https://github.com/github/gh-codeql) - GitHub CLI extension for working with CodeQL\n- [advanced-security/gh-codeql-scan](https://github.com/advanced-security/gh-codeql-scan) - GH CLI CodeQL Scan Extension\n- [GitHubSecurityLab/gh-mrva](https://github.com/GitHubSecurityLab/gh-mrva) - Multi-repo variant analysis CLI support\n- [trailofbits/mrva](https://github.com/trailofbits/mrva) - Terminal-first approach to CodeQL multi-repo variant analysis\n- [tweag/codeql-wrapper](https://github.com/tweag/codeql-wrapper) - Universal Python CLI wrapper for CodeQL analysis across monorepos and CI/CD platforms\n\n### CodeQL Containers\n\n- [advanced-security/codeql-docker](https://github.com/advanced-security/codeql-docker) - CodeQL Docker image\n- [microsoft/codeql-container](https://github.com/microsoft/codeql-container) - Prepackaged and precompiled github codeql container for rapid analysis, deployment and development.\n- [advanced-security/codeql_container_example](https://github.com/advanced-security/codeql_container_example) - Example showing CodeQL to scan containerized applications in GitHub Actions.\n- [Adding CodeQL to your (compiled) container build](https://some-natalie.dev/blog/codeql-container-builds/) - Blog walking through the complexities of implementing containerized CodeQL workloads sprinkled with bits of Kubernetes wisdom.\n\n### CodeQL SARIF\n\n- [Visual Studio SARIF Viewer](https://marketplace.visualstudio.com/items?itemName=WDGIS.MicrosoftSarifViewer) - Visual Studio Static Analysis Results Interchange Format (SARIF) log file viewer\n- [VSCode SARIF Viewer](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer) - Adds support for viewing SARIF logs in Visual Studio Code\n- [IntelliJ SARIF Viewer](https://plugins.jetbrains.com/plugin/23159-sarif-viewer)\n- [SARIF Viewer Web Component](https://microsoft.github.io/sarif-web-component/)\n- [psastras/sarif-rs-sarif-fmt](https://github.com/psastras/sarif-rs/tree/main/sarif-fmt) - This crate provides a command line tool to pretty print SARIF files to easy human readable output.\n\n### CodeQL AI \u0026 LLM Tooling\n- [GitHubSecurityLab/seclab-taskflow-agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) - The GitHub Security Lab Taskflow Agent is an MCP enabled multi-Agent framework. See the [CVE-2023-2283](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/blob/main/examples/taskflows/CVE-2023-2283.yaml) taskflow for an example of how to have an Agent review C code using a CodeQL database ([demo video](https://www.youtube.com/watch?v=eRSPSVW8RMo)).\n  - [GitHubSecurityLab/seclab-taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows) - Example taskflows to use with the GitHub Security Lab Taskflow Agent Framework. Intended to be an easy-to-copy template for anybody who would like to publish their own suite of taskflows. \n- [github/codeql-development-mcp-server](https://github.com/github/codeql-development-mcp-server) - GitHub CodeQL Development MCP Server supporting LLM requests for CodeQL development tools and resources.\n- [advanced-security/codeql-development-template](https://github.com/advanced-security/codeql-development-template) - Copilot-native repository template for CodeQL query development. Lowering the barrier to entry for CodeQL development through natural language and GitHub Copilot. A GitHub repository template for building custom CodeQL queries with AI assistance. This template provides a structured environment with prompts, instructions, and workflows designed to guide GitHub Copilot Coding Agent through the complete CodeQL development lifecycle.\n- [JordyZomer/codeql-mcp](https://github.com/JordyZomer/codeql-mcp) - This project runs a Model Context Protocol (MCP) server that wraps the CodeQL query server. It enables tools like Cursor or AI agents to interact with CodeQL through structured commands and doc search.\n\n---\n\n## GitHub Actions \u0026 CI/CD\n\nTools, actions, and examples for integrating CodeQL into your automation pipelines.\n\n- [advanced-security/sample-pipeline-files](https://github.com/advanced-security/sample-codeql-pipeline-config) - This repository contains pipeline files for various CI/CD systems (AWS CodeBuild, Azure Devops, CircleCI, DroneCI, Jenkins, Tekton, Travis), illustrating how to integrate the CodeQL CLI Bundle for Automated Code Scanning\n\n### CodeQL GitHub Actions Helpers\n\n- [advanced-security/set-codeql-language-matrix](https://github.com/advanced-security/set-codeql-language-matrix) - Automatically set the CodeQL matrix job using the languages in your repository.\n- [advanced-security/filter-sarif](https://github.com/advanced-security/filter-sarif) - GitHub Action for filtering Code Scanning alerts by path and id\n- [advanced-security/sarif-toolkit](https://github.com/advanced-security/sarif-toolkit/blob/main/submodules/) - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.\n- [zbazztian/codeql-debug](https://github.com/zbazztian/codeql-debug) - Add this action to an existing CodeQL analysis workflow to generate an html report\n- [advanced-security/dismiss-alerts](https://github.com/advanced-security/dismiss-alerts) - Dismisses GitHub Code Scanning alerts from `//codeql[supress reason]` style comments on the default branch\n- [advanced-security/adjust-cvss](https://github.com/advanced-security/adjust-cvss) - Adjust the severity of the CVSS score assigned to a result in SARIF file\n- [advanced-security/codeql-sarif-security-standard-annotator](https://github.com/advanced-security/codeql-sarif-security-standard-annotator) - Add an `owasp-top10-2021` tag to relevant results\n- [advanced-security/delombok](https://github.com/advanced-security/delombok) - Delombok Java Code for analysis with Code Scanning (deprecated - now [supported by CodeQL](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/))\n- [badge-generator](https://github.com/MichaelCurrin/badge-generator) - [![CodeQL](https://github.com/MichaelCurrin/badge-generator/workflows/CodeQL/badge.svg)](https://github.com/MichaelCurrin/badge-generator/actions?query=workflow%3ACodeQL \"Code quality workflow status\") Magically generate Markdown badges for your docs 🛡️ 🦡 🧙\n- [advanced-security/monorepo-code-scanning-action](https://github.com/advanced-security/monorepo-code-scanning-action) - Focus SAST scans (with CodeQL) on just the changed parts of your monorepo, split up as you define\n- [advanced-security/codeql-extractor-action](https://github.com/advanced-security/codeql-extractor-action) - An Action that allows you to specify a CodeQL extractor to be used in your workflows as an author of an Extractor.\n\n### CodeQL Monorepo Actions Samples\n\n- [dassencio/parallel-code-scanning](https://github.com/dassencio/parallel-code-scanning) - An example of a GitHub Actions workflow showing how code scanning with CodeQL can be parallelized on monorepos.\n- [thedave42/multi-lang-monorepo](https://github.com/thedave42/multi-lang-monorepo) - A repo that demonstrates using an Actions workflow Job matrix to run parallel CodeQL scans on applications in a monorepo.\n- [advanced-security/sample-javascript-monorepo](https://github.com/advanced-security/sample-javascript-monorepo) - Detached fork of babel/babel to use as a TypeScript monorepo sample with 150+ packages using the [monorepo-code-scanning-action](https://github.com/advanced-security/monorepo-code-scanning-action)\n\n### CodeQL Enforcement\n\n- [advanced-security-enforcer](https://github.com/zkoppert/advanced-security-enforcer) - A GitHub action for organizations that enables advanced security code scanning on all new repos\n- [codeql-selective-analysis](https://github.com/octodemo/codeql-selective-analysis) - Make CodeQL a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified\n\n\n\n\n---\n\n## Customization \u0026 Query Development\n\nResources for extending CodeQL, creating packs, and using custom queries.\n\n### CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)\n\n- [GitHub-maintained packages](https://github.com/orgs/codeql/packages)\n- [GitHubSecurityLab/CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs) - Collection of community-driven CodeQL query, library and extension [packages](https://github.com/orgs/githubsecuritylab/packages). Blog: [Announcing CodeQL Community Packs](https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/)\n- [trailofbits/codeql-queries](https://github.com/trailofbits/codeql-queries) - CodeQL queries and [packs](https://github.com/orgs/trailofbits/packages?ecosystem=all\u0026q=repo%3Atrailofbits%2Fcodeql-queries) developed by Trail of Bits\n- [github/codeql-coding-standards](https://github.com/github/codeql-coding-standards) - This repository contains CodeQL queries and libraries which support various Coding Standards. (AUTOSAR C++, CERT-C++,CERT C, MISRA C)\n- [green-code-initiative/green-codeql-queries](Green-codeql-queries) - This repository contains CodeQL queries to help build sustenable code. \n\n### CodeQL Tooling (Bundles + Packs)\n\n- [advanced-security/codeql-bundle-action](https://github.com/advanced-security/codeql-bundle-action) - Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations\n- [rvermeulen/codeql-bundle](https://github.com/rvermeulen/codeql-bundle) - CLI to build a custom CodeQL bundle\n- [zbazztian/gh-tailor](https://github.com/zbazztian/gh-tailor) - A tool for customizing CodeQL packs.\n\n### CodeQL Libraries \u0026 Utilities\n- [advanced-security/codeql-qtil](https://github.com/advanced-security/codeql-qtil) - A library with a wide variety of handy CodeQL utilities, from simple to complex.\n\n### Custom Modeling\n- [advanced-security/codeql-summarize](https://github.com/advanced-security/codeql-summarize) - CodeQL Summary Generator to generate Models as Data (MaD) from CodeQL databases.\n- [GitHubSecurityLab/CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/configs/default.yml#L19-L25) - GitHub Security Lab model packs\n- [octodemo/vulnerable-pickle-app](https://github.com/octodemo/vulnerable-pickle-app/blob/main/custom-queries/python/dangerous-functions.ql) - Ex: Python Pickle - mapping a custom framework in python\n\n### CodeQL Queries/Bundles\n\n- [Microsoft solorigate queries](https://www.microsoft.com/en-us/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/)\n- [advanced-security/codeql-coding-standards-bundle-releases](https://github.com/advanced-security/codeql-coding-standards-bundle-releases) - CodeQL bundles containing the CodeQL Coding Standards queries\n\n\n\n### CodeQL Query Suites\n\n- [zbazztian/only-critical-queries](https://github.com/zbazztian/only-critical-queries/blob/main/.github/critical-alternative.qls) - Only Critical Queries sample .qls\n- [securingdev/codeql-query-suites](https://github.com/securingdev/codeql-query-suites/blob/main/.github/configurations/owasp-top-10.qls) - OWASP Top 10 CWE Only .qls\n- [codeql/actions](https://github.com/github/codeql/actions/workflows/query-list.yml?query=branch%3Acodeql-cli%2Flatest) - GitHub full built-in CodeQL query list - download the attached `code-scanning-query-list.csv` artifact. \n\n\n### CodeQL Extractors\n\n- [advanced-security/codeql-extractor-iac](https://github.com/advanced-security/codeql-extractor-iac) - CodeQL Extractors, Library, and Queries for Infrastructure as Code ( Terraform / HCL, JSON, YAML, Container files, Bicep )\n- [codeql-extractor-bicep](https://github.com/GitHubSecurityLab/codeql-extractor-bicep) - CodeQL Extractor for Bicep Configurations\n- [codeql-kaleidoscope](https://github.com/aibaars/codeql-kaleidoscope/) - CodeQL for LLVM Kaleidoscope ([AST/CFG/SSA/Dataflow in separate commits](https://github.com/aibaars/codeql-kaleidoscope/commits/main/)) \n- [microsoft/codeql](https://github.com/microsoft/codeql/blob/main/powershell/README.md) - Microsoft CodeQL Powershell extractor, sample queries, and tools\n- [CoinFabrik/CyScout](https://github.com/CoinFabrik/CyScout/tree/main/solidity/codeql) - CyScout Solidity Extractor: Run queries and detect vulnerabilities in your smart contracts using CodeQL-Solidity\n- [krisds/cobol-codeql](https://github.com/krisds/cobol-codeql) - Archive of CodeQL support for COBOL (This is a one-off release of code for supporting analysis of COBOL programs using QL. The release of this code does not imply any intention to support it in the future.)\n- [advanced-security/codeql-extractor-action](https://github.com/advanced-security/codeql-extractor-action) - specify a CodeQL extractor to be used in your workflows as an author of an Extractor.\n- [advanced-security/codeql-sap-js](https://github.com/advanced-security/codeql-sap-js) - CodeQL extractor/queries/models for SAP JavaScript frameworks CAP, UI5 and XSJS\n\n## Troubleshooting\n\n- [advanced-security/advanced-security-material](https://github.com/advanced-security/advanced-security-material/tree/main/troubleshooting/codeql-builds) - CodeQL Build Failure Troubleshooting\n- [advanced-security/advanced-security-material](https://github.com/advanced-security/advanced-security-material/blob/main/troubleshooting/sarif-upload/troubleshooting.md) - GitHub SARIF Upload Troubleshooting\n- [github/codeql-coding-standards](https://github.com/github/codeql-coding-standards/blob/main/docs/user_manual.md#hazard-and-risk-analysis) - CodeQL Coding Standards - Hazard and risk analysis\n\n\n## Contribute\n\nContributions welcome! Read the [contribution guidelines](CONTRIBUTING.md) first.\n\n## Why\n\n[What is an awesome list?](https://github.com/sindresorhus/awesome/blob/main/awesome.md)\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/advanced-security%2Fawesome-codeql/projects"}