awesome-codeql
A curated list of awesome CodeQL resources.
https://github.com/advanced-security/awesome-codeql
Last synced: 1 day ago
JSON representation
-
Why
-
YouTube learning
-
-
CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)
- GitHub-maintained packages
- GitHub Security Lab community - Collection of community-driven CodeQL query, library and extension [packages](https://github.com/orgs/githubsecuritylab/packages). Blog: [Announcing CodeQL Community Packs](https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/)
- codeql-queries - CodeQL queries and [packs](https://github.com/orgs/trailofbits/packages?ecosystem=all&q=repo%3Atrailofbits%2Fcodeql-queries) developed by Trail of Bits
- GitHub codeql-coding-standards - This repository contains CodeQL queries and libraries which support various Coding Standards. (AUTOSAR C++, CERT-C++,CERT C, MISRA C)
-
CodeQL Queries/Bundles
- Microsoft solorigate queries
- GitHub codeql-coding-standards-bundle-releases - CodeQL bundles containing the CodeQL Coding Standards queries
-
CodeQL Query Suites
- Only Critical Queries sample .qls
- OWASP Top 10 CWE Only .qls
- CodeQL per Suite Query list - download the attached `code-scanning-query-list.csv` artifact.
-
CodeQL Troubleshooting
-
CodeQL Actions Helpers
- sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
- badge-generator - [](https://github.com/MichaelCurrin/badge-generator/actions?query=workflow%3ACodeQL "Code quality workflow status") Magically generate Markdown badges for your docs 🛡️ 🦡 🧙
- set-codeql-language-matrix - Automatically set the CodeQL matrix job using the languages in your repository.
- filter-sarif - GitHub Action for filtering Code Scanning alerts by path and id
- codeql-debug - Add this action to an existing CodeQL analysis workflow to generate an html report
- dismiss-alerts - Dismisses GitHub Code Scanning alerts from `//codeql[supress reason]` style comments on the default branch
- adjust-cvss - Adjust the severity of the CVSS score assigned to a result in SARIF file
- codeql-sarif-security-standard-annotator - Add an `owasp-top10-2021` tag to relevant results
- delombok - Delombok Java Code for analysis with Code Scanning (deprecated - now [supported by CodeQL](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/))
- monorepo-code-scanning-action - Focus SAST scans (with CodeQL) on just the changed parts of your monorepo, split up as you define
- sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
-
CodeQL SARIF
- Visual Studio SARIF Viewer - Visual Studio Static Analysis Results Interchange Format (SARIF) log file viewer
- VSCode SARIF Viewer - Adds support for viewing SARIF logs in Visual Studio Code
- IntelliJ SARIF Viewer
- psastras/sarif-rs-sarif-fmt - This crate provides a command line tool to pretty print SARIF files to easy human readable output.
- SARIF Viewer Web Component
-
CodeQL Containers
- codeql_container_example - Example showing CodeQL to scan containerized applications in GitHub Actions.
- codeql-container-builds - Blog walking through the complexities of implementing containerized CodeQL workloads sprinkled with bits of Kubernetes wisdom.
- codeql-docker - CodeQL Docker image
- codeql-container - Prepackaged and precompiled github codeql container for rapid analysis, deployment and development.
- codeql-docker - CodeQL Docker image
-
CodeQL Samples
- Python Pickle - mapping a custom framework in python
- sample-pipeline-files - This repository contains pipeline files for various CI/CD systems (AWS CodeBuild, Azure Devops, CircleCI, DroneCI, Jenkins, Tekton, Travis), illustrating how to integrate the CodeQL CLI Bundle for Automated Code Scanning
-
CodeQL Configuration Documentation
-
CodeQL Query Writing Documentation
-
CodeQL Query Writing
-
Documentation
-
Blogs
-
YouTube learning
- Find bugs in your code with CodeQL
- Finding security vulnerabilities in JavaScript with CodeQL
- Finding security vulnerabilities in Java with CodeQL
- Finding security vulnerabilities in C/C++ with CodeQL
- CodeQL as an Audit Oracle
- Find bugs in your code with CodeQL
- Finding security vulnerabilities in C/C++ with CodeQL
- CodeQL as an Audit Oracle
-
- ReadMe Project - A beginner’s guide to running and managing custom CodeQL queries
-
-
CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))
- GitHub Security Lab - From trying out CodeQL to secure your own code to collecting bug bounties by securing others', here are a few ways we can keep the world's software safe, together.
- testing-handbook - The [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/codeql/) is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools used at Trail of Bits.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
-
CodeQL Installers
- grab_ql - Grab some/all of CodeQL CLI binary, QL library, VSCode starter workspace, VSCode and VSCode QL extension
- codeql-anywhere - Put the power of CodeQL in your pocket, take it with you to any CI 🚀
- codeql-jupyter-kernel - Jupyter Kernel for CodeQL
- homebrew-cask - Homebrew cask to install the CodeQL CLI `brew install --cask codeql`
-
CodeQL CLI Tooling
- gh-codeql - GitHub CLI extension for working with CodeQL
- gh-codeql-scan - GH CLI CodeQL Scan Extension
- gh-mrva - Multi-repo variant analysis CLI support
- gh-mrva - Multi-repo variant analysis CLI support
-
CodeQL Customizations
- codeql-summarize - CodeQL Summary Generator to generate Models as Data (MaD) from CodeQL databases.
-
CodeQL Tooling (Bundles + Packs)
- codeql-bundle-action - Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations
- gh-tailor - A tool for customizing CodeQL packs.
-
CodeQL Monorepo Actions Samples
- parallel-code-scanning - An example of a GitHub Actions workflow showing how code scanning with CodeQL can be parallelized on monorepos.
- multi-lang-monorepo - A repo that demonstrates using an Actions workflow Job matrix to run parallel CodeQL scans on applications in a monorepo.
- sample-javascript-monorepo - Detached fork of babel/babel to use as a TypeScript monorepo sample with 150+ packages using the [monorepo-code-scanning-action](https://github.com/advanced-security/monorepo-code-scanning-action)
-
CodeQL Enforcement
- advanced-security-enforcer - A GitHub action for organizations that enables advanced security code scanning on all new repos
- codeql-selective-analysis - Make CodeQL a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified
-
CodeQL Extractors
- codeql-extractor-iac - CodeQL Extractors, Library, and Queries for Infrastructure as Code ( Terraform / HCL, JSON, YAML, Container files, Bicep )
- codeql-kaleidoscope - CodeQL for LLVM Kaleidoscope ([AST/CFG/SSA/Dataflow in separate commits](https://github.com/aibaars/codeql-kaleidoscope/commits/main/))
- Powershell Extractor - CodeQL extractor, sample queries, and tools for Powershell
- CyScout Solidity Extractor - Run queries and detect vulnerabilities in your smart contracts using CodeQL-Solidity
- cobol-codeql - Archive of CodeQL support for COBOL (This is a one-off release of code for supporting analysis of COBOL programs using QL. The release of this code does not imply any intention to support it in the future.)
- codeql-extractor-bicep - CodeQL Extractor for Bicep Configurations
-
Customization & Query Development
-
CodeQL Extractors
- advanced-security/codeql-sap-js - CodeQL extractor/queries/models for SAP JavaScript frameworks CAP, UI5 and XSJS
-
Custom Modeling
-
-
CodeQL Libraries
- codeql-qtil - A library with a wide variety of handy CodeQL utilities, from simple to complex.
-
CodeQL Extractor Helpers
- codeql-extractor-action - specify a CodeQL extractor to be used in your workflows as an author of an Extractor.
-
Tooling & Environment
-
CodeQL AI & LLM Tooling
- codeql-mcp - This project runs a Model Context Protocol (MCP) server that wraps the CodeQL query server. It enables tools like Cursor or AI agents to interact with CodeQL through structured commands and doc search.
- GitHub Seclab Taskflow Agent - The framework includes a [CodeQL](https://codeql.github.com/) MCP server that can be used for Agentic code review, see the [CVE-2023-2283](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/blob/main/examples/taskflows/CVE-2023-2283.yaml) taskflow for an example of how to have an Agent review C code using a CodeQL database ([demo video](https://www.youtube.com/watch?v=eRSPSVW8RMo)).
- codeql-development-template - Copilot-native repository template for CodeQL query development. Lowering the barrier to entry for CodeQL development through natural language and GitHub Copilot. A GitHub repository template for building custom CodeQL queries with AI assistance. This template provides a structured environment with prompts, instructions, and workflows designed to guide GitHub Copilot Coding Agent through the complete CodeQL development lifecycle.
- GitHub CodeQL Development MCP Server - An MCP server supporting LLM requests for CodeQL development tools and resources.
- GitHubSecurityLab/seclab-taskflows - Example taskflows to use with the GitHub Security Lab Taskflow Agent Framework. Intended to be an easy-to-copy template for anybody who would like to publish their own suite of taskflows.
-
CodeQL CLI Tooling
- mrva - Terminal-first approach to CodeQL multi-repo variant analysis
- tweag/codeql-wrapper - Universal Python CLI wrapper for CodeQL analysis across monorepos and CI/CD platforms
-
Programming Languages
Categories
CodeQL Query Writing
12
CodeQL Actions Helpers
11
CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))
9
Tooling & Environment
7
CodeQL Extractors
6
CodeQL Query Writing Documentation
5
CodeQL Containers
5
CodeQL SARIF
5
CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)
4
CodeQL Installers
4
CodeQL CLI Tooling
4
CodeQL Query Suites
3
CodeQL Monorepo Actions Samples
3
CodeQL Troubleshooting
3
Customization & Query Development
2
CodeQL Enforcement
2
CodeQL Tooling (Bundles + Packs)
2
CodeQL Queries/Bundles
2
CodeQL Samples
2
Why
1
CodeQL Extractor Helpers
1
CodeQL Customizations
1
CodeQL Libraries
1
CodeQL Configuration Documentation
1
Sub Categories
Keywords
codeql
11
code-scanning
4
gh-extension
3
advanced-security
2
actions
2
ghas
2
sarif
2
jupyter
1
powershell
1
github
1
vue
1
typescript
1
shieldsio
1
shields-io
1
shields
1
shield
1
readme-badges
1
readme-badge
1
nodejs
1
markdown-badges
1
markdown
1
javascript
1
documentation-tool
1
documentation-generator
1
docs-generator
1
boilerplate
1
badge-generator
1
badge
1
containers
1
codescanning
1
sast
1
github-actions
1
semmle
1
quality-ql-pack
1
docker
1
codeql-queries
1
codeql-container
1
codeql-command
1
codeql-cli
1
react-components
1
react
1
github-advanced-security
1
security
1
misra
1
iso26262
1
functional-safety
1
cpp14
1
coding-standards
1
code-scanning-ready
1
cert
1