{"id":13809720,"url":"https://github.com/advanced-security/codeql-bundle-action","last_synced_at":"2026-03-10T11:31:46.749Z","repository":{"id":64809807,"uuid":"470210348","full_name":"advanced-security/codeql-bundle-action","owner":"advanced-security","description":"Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations","archived":false,"fork":false,"pushed_at":"2024-05-08T18:00:54.000Z","size":14709,"stargazers_count":27,"open_issues_count":0,"forks_count":6,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-16T08:13:07.856Z","etag":null,"topics":["code-scanning","codeql","security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-03-15T15:02:14.000Z","updated_at":"2025-08-25T09:11:27.000Z","dependencies_parsed_at":"2025-04-28T17:49:29.012Z","dependency_job_id":null,"html_url":"https://github.com/advanced-security/codeql-bundle-action","commit_stats":{"total_commits":41,"total_committers":2,"mean_commits":20.5,"dds":"0.024390243902439046","last_synced_commit":"14f923fa9992a61a07a2734132ffac287f791086"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/advanced-security/codeql-bundle-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-bundle-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-bundle-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-bundle-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-bundle-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/codeql-bundle-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-bundle-action/sbom","scorecard":{"id":168399,"data":{"date":"2025-08-11","repo":{"name":"github.com/advanced-security/codeql-bundle-action","commit":"a092acafe9d9b867f7ff4f35d48ae98ecbd84cb7"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.2,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/26 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/test-create-bundle.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-create-bundle.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/codeql-bundle-action/test-create-bundle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-create-bundle.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/codeql-bundle-action/test-create-bundle.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-create-bundle.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/codeql-bundle-action/test-create-bundle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-create-bundle.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/codeql-bundle-action/test-create-bundle.yml/main?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   1 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/advanced-security/.github/SECURITY.md:1","Info: Found linked content: github.com/advanced-security/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/advanced-security/.github/SECURITY.md:1","Info: Found text in security policy: github.com/advanced-security/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 6 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T15:38:36.912Z","repository_id":64809807,"created_at":"2025-08-16T15:38:36.912Z","updated_at":"2025-08-16T15:38:36.912Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30332282,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T05:25:20.737Z","status":"ssl_error","status_checked_at":"2026-03-10T05:25:17.430Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-scanning","codeql","security"],"created_at":"2024-08-04T02:00:34.921Z","updated_at":"2026-03-10T11:31:46.713Z","avatar_url":"https://github.com/advanced-security.png","language":"Shell","readme":"# CodeQL bundle action\n\nThis action retrofits an existing [CodeQL bundle](https://github.com/github/codeql-action/releases) with additional [CodeQL packs](https://codeql.github.com/docs/codeql-cli/creating-and-working-with-codeql-packs/) using the [CodeQL bundle CLI](https://github.com/rvermeulen/codeql-bundle)\nThe bundle will be a single deployable artifact containing the CodeQL standard library, the CodeQL standard queries, and any other libraries or queries that are relevant.\nAdditionally, the CodeQL standard library and standard queries can be customized to consider additional sources, sinks, data-flow/taint steps, sanitizers and barriers.\n\nA custom codeql bundle has the following benefits:\n\n- A single artifact containing the standard queries and other queries of interest.\n- A compilation cache for all the included queries resulting in a faster analysis.\n- All the included queries can benefit from customizations that improve the coverage of the analysis.\n\n## Usage\n\nThe following Action workflow is a minimal example showing how to use this action to create a bundle containing the CodeQL packs listed in `packs` and how to upload it as an artifact.\n\n```yaml\nname: \"Build custom bundle\"\non:\n  push:\n    branches:\n      - main\n  pull_request:\n    branches:\n      - main\n  workflow_dispatch:\n\njobs:\n  test:\n    name: \"Create custom bundle\"\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - uses: advanced-security/codeql-bundle-action/download-bundle@v2\n        id: download-bundle\n        with:\n          tag: \"latest\"\n      - uses: advanced-security/codeql-bundle-action/create-bundle@v2\n        id: create-bundle\n        with:\n          bundle-path: ${{ steps.download-bundle.outputs.bundle-path }}\n          packs: \"octo/cpp-queries,octo/cpp-all,octo/cpp-customizations\" \n      - uses: actions/upload-artifact@v3\n        with:\n          name: codeql-bundle.tar.gz\n          path: ${{ steps.create-bundle.outputs.output-path }}\n```\n\nThe following Action workflow excerpt shows how a custom bundle can be used in a CodeQL analysis workflow.\nIt assumes the custom bundle is available as a release, but any other location works as long as it is made\navailable before the `github/codeql-action/init` step and its path is made available to the `tools` input.\n\n```yaml\n    - name: Download benchmark bundle\n        env:\n          GH_TOKEN: ${{ github.token }}\n        run: |\n          gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz'\n        \n    - name: CodeQL Initialize\n        uses: github/codeql-action/init@v2\n        with:\n          tools: codeql-bundle.tar.gz\n```\n\n## Locating your CodeQL packs\n\nThe action relies on a CodeQL Workspace to resolve the location of the specified CodeQL packs.\nA CodeQL Workspace can be defined using a `codeql-workspace.yml` file that should contain a key `provide` with an array of locations to your CodeQL packs (i.e., the location of the `qlpack.yml` files).\n\nFor an example you can consult the test [CodeQL Workspace](tests/codeql-workspace.yml)\n\nBy default the action looks at the root of the repository. If the CodeQL Workspace specification is located in a subfolder then you can use the `workspace` input to specify its location.\n\n## Customizations\n\nThe CodeQL standard library can be customized by adding implementations of available extension points to a special CodeQL library called `Customizations.qll` that is available for most of the languages (this is not available for C++).\nThis action uses that mechanism to inject customizations defined in a so called CodeQL customization pack.\n\nA CodeQL customization pack is a concept that doesn't exists outside this action and consists of a CodeQL library pack with extra meta information and structure.\nTo create a CodeQL customization pack follow these steps:\n\n1. Initialize a new qlpack using the CodeQL CLI as follows (we use Java as an example target): `codeql pack init octo/java-customizations`\n2. Change the value of `library` to `true` in the generated file `java-customizations/qlpack.yml`\n3. Create the CodeQL module `java-customizations/octo/java_customizations/Customizations.qll` **Note: the directory structure contains the scope and name where the characters `-` are substituted with `_`!**\n4. Add the Java standard library as a dependency for development of the customizations using the CodeQL CLI as follows: `codeql pack add --dir=java-customizations codeql/java-all` **Note: ensure the version is compatible with the CodeQL bundle being targeted!**\n\nYou can now add your customizations directly in the `Customizations.qll` or other modules that are imported by the `Customizations.qll`.\n\n## Creating platform specific bundles\n\nBy default the `download-action` uses the platform agnostic CodeQL bundle that supports all the platforms supported by the CodeQL CLI.\nTo reduce the size of the final artifact you can use a platform specific bundle by specifying the `platforms` input with one of `osx64`, `linux64`, or `win64`.\nNote that the runner **MUST** be compatible with the platform!\n\nThe `create-bundle` is capable of building platform specific CodeQL bundles from the platform agnostic bundle.\nIt will build a bundle for each of the platforms provided in the `platforms` input.\n\nThis combination provides the flexibility to build bundles for platforms that are not supported by the Action runner.\nFor example, the following workflow creates separate bundles for each platform.\n\n```yaml\nname: \"Build custom bundle\"\non:\n  push:\n    branches:\n      - main\n  pull_request:\n    branches:\n      - main\n  workflow_dispatch:\n\njobs:\n  test:\n    name: \"Create custom bundle\"\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - uses: advanced-security/codeql-bundle-action/download-bundle@v2\n        id: download-bundle\n        with:\n          tag: \"latest\"\n      - uses: advanced-security/codeql-bundle-action/create-bundle@v2\n        id: create-bundle\n        with:\n          bundle-path: ${{ steps.download-bundle.outputs.bundle-path }}\n          packs: \"octo/cpp-queries,octo/cpp-all,octo/cpp-customizations\"\n          platforms: osx64,win64,linux64\n      - uses: actions/upload-artifact@v3\n        with:\n          name: codeql-bundles\n          path: ${{ steps.create-bundle.outputs.output-path }}\n```\n\nWhen providing multiple platforms the `output-path` output is a directory containing the bundles, each named according to pattern `codeql-bundle-$PLATFORM.tar.gz`.\n\n## Limitations\n\nThis Action uses the [CodeQL bundle CLI](https://github.com/rvermeulen/codeql-bundle) and inherits its limitations.\n","funding_links":[],"categories":["CodeQL Tooling (Bundles + Packs)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-bundle-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Fcodeql-bundle-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-bundle-action/lists"}