awesome-codeql
A curated list of awesome CodeQL resources.
https://github.com/advanced-security/awesome-codeql
Last synced: 3 days ago
JSON representation
-
CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- testing-handbook - The [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/codeql/) is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools used at Trail of Bits.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- GitHub Security Lab - From trying out CodeQL to secure your own code to collecting bug bounties by securing others', here are a few ways we can keep the world's software safe, together.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
- CodeQL Learning Catalog - The CodeQL Learning Catalog is a resource dedicated providing detailed CodeQL learning resources. The Catalog contains workshops, recordings, and learning paths for improving your knowledge and skill in using CodeQL.
-
CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)
- GitHub-maintained packages
- codeql-queries - CodeQL queries and [packs](https://github.com/orgs/trailofbits/packages?ecosystem=all&q=repo%3Atrailofbits%2Fcodeql-queries) developed by Trail of Bits
- GitHub codeql-coding-standards - This repository contains CodeQL queries and libraries which support various Coding Standards. (AUTOSAR C++, CERT-C++,CERT C, MISRA C)
- GitHub Security Lab community - Collection of community-driven CodeQL query, library and extension [packages](https://github.com/orgs/githubsecuritylab/packages). Blog: [Announcing CodeQL Community Packs](https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/)
-
CodeQL Queries/Bundles
- Microsoft solorigate queries
- GitHub codeql-coding-standards-bundle-releases - CodeQL bundles containing the CodeQL Coding Standards queries
-
CodeQL Query Suites
- Only Critical Queries sample .qls
- OWASP Top 10 CWE Only .qls
- CodeQL per Suite Query list - download the attached `code-scanning-query-list.csv` artifact.
-
CodeQL Troubleshooting
-
CodeQL Actions Helpers
- sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
- set-codeql-language-matrix - Automatically set the CodeQL matrix job using the languages in your repository.
- filter-sarif - GitHub Action for filtering Code Scanning alerts by path and id
- codeql-debug - Add this action to an existing CodeQL analysis workflow to generate an html report
- dismiss-alerts - Dismisses GitHub Code Scanning alerts from `//codeql[supress reason]` style comments on the default branch
- adjust-cvss - Adjust the severity of the CVSS score assigned to a result in SARIF file
- codeql-sarif-security-standard-annotator - Add an `owasp-top10-2021` tag to relevant results
- delombok - Delombok Java Code for analysis with Code Scanning (deprecated - now [supported by CodeQL](https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/))
- badge-generator - [](https://github.com/MichaelCurrin/badge-generator/actions?query=workflow%3ACodeQL "Code quality workflow status") Magically generate Markdown badges for your docs 🛡️ 🦡 🧙
- monorepo-code-scanning-action - Focus SAST scans (with CodeQL) on just the changed parts of your monorepo, split up as you define
- sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
-
CodeQL SARIF
- Visual Studio SARIF Viewer - Visual Studio Static Analysis Results Interchange Format (SARIF) log file viewer
- VSCode SARIF Viewer - Adds support for viewing SARIF logs in Visual Studio Code
- IntelliJ SARIF Viewer
- psastras/sarif-rs-sarif-fmt - This crate provides a command line tool to pretty print SARIF files to easy human readable output.
- SARIF Viewer Web Component
-
CodeQL Query Writing
-
Documentation
-
Blogs
-
YouTube learning
- Find bugs in your code with CodeQL
- Finding security vulnerabilities in JavaScript with CodeQL
- Finding security vulnerabilities in Java with CodeQL
- Finding security vulnerabilities in C/C++ with CodeQL
- CodeQL as an Audit Oracle
- Finding security vulnerabilities in C/C++ with CodeQL
- CodeQL as an Audit Oracle
- Find bugs in your code with CodeQL
- Find bugs in your code with CodeQL
-
- ReadMe Project - A beginner’s guide to running and managing custom CodeQL queries
-
-
CodeQL Containers
- codeql_container_example - Example showing CodeQL to scan containerized applications in GitHub Actions.
- codeql-docker - CodeQL Docker image
- codeql-container - Prepackaged and precompiled github codeql container for rapid analysis, deployment and development.
- codeql-container-builds - Blog walking through the complexities of implementing containerized CodeQL workloads sprinkled with bits of Kubernetes wisdom.
- codeql-docker - CodeQL Docker image
-
CodeQL Samples
- Python Pickle - mapping a custom framework in python
- sample-pipeline-files - This repository contains pipeline files for various CI/CD systems (AWS CodeBuild, Azure Devops, CircleCI, DroneCI, Jenkins, Tekton, Travis), illustrating how to integrate the CodeQL CLI Bundle for Automated Code Scanning
-
CodeQL Configuration Documentation
-
CodeQL Query Writing Documentation
-
Why
-
YouTube learning
-
-
CodeQL Installers
- grab_ql - Grab some/all of CodeQL CLI binary, QL library, VSCode starter workspace, VSCode and VSCode QL extension
- codeql-jupyter-kernel - Jupyter Kernel for CodeQL
- codeql-anywhere - Put the power of CodeQL in your pocket, take it with you to any CI 🚀
- homebrew-cask - Homebrew cask to install the CodeQL CLI `brew install --cask codeql`
-
CodeQL CLI Tooling
- gh-codeql-scan - GH CLI CodeQL Scan Extension
- gh-mrva - Multi-repo variant analysis CLI support
- gh-mrva - Multi-repo variant analysis CLI support
- gh-codeql - GitHub CLI extension for working with CodeQL
-
CodeQL Customizations
- codeql-summarize - CodeQL Summary Generator to generate Models as Data (MaD) from CodeQL databases.
-
CodeQL Tooling (Bundles + Packs)
- codeql-bundle-action - Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations
- gh-tailor - A tool for customizing CodeQL packs.
- codeql-bunldle - CLI to build a custom CodeQL bundle
-
CodeQL Enforcement
- advanced-security-enforcer - A GitHub action for organizations that enables advanced security code scanning on all new repos
- codeql-selective-analysis - Make CodeQL a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified
-
CodeQL Extractors
- codeql-extractor-iac - CodeQL Extractors, Library, and Queries for Infrastructure as Code ( Terraform / HCL, JSON, YAML, Container files, Bicep )
- codeql-kaleidoscope - CodeQL for LLVM Kaleidoscope ([AST/CFG/SSA/Dataflow in separate commits](https://github.com/aibaars/codeql-kaleidoscope/commits/main/))
- Powershell Extractor - CodeQL extractor, sample queries, and tools for Powershell
- codeql-extractor-bicep - CodeQL Extractor for Bicep Configurations
- CyScout Solidity Extractor - Run queries and detect vulnerabilities in your smart contracts using CodeQL-Solidity
- cobol-codeql - Archive of CodeQL support for COBOL (This is a one-off release of code for supporting analysis of COBOL programs using QL. The release of this code does not imply any intention to support it in the future.)
- codeql-kaleidoscope - CodeQL for LLVM Kaleidoscope ([AST/CFG/SSA/Dataflow in separate commits](https://github.com/aibaars/codeql-kaleidoscope/commits/main/))
-
CodeQL Monorepo Actions Samples
- parallel-code-scanning - An example of a GitHub Actions workflow showing how code scanning with CodeQL can be parallelized on monorepos.
- multi-lang-monorepo - A repo that demonstrates using an Actions workflow Job matrix to run parallel CodeQL scans on applications in a monorepo.
- sample-javascript-monorepo - Detached fork of babel/babel to use as a TypeScript monorepo sample with 150+ packages using the [monorepo-code-scanning-action](https://github.com/advanced-security/monorepo-code-scanning-action)
-
CodeQL Libraries
- codeql-qtil - A library with a wide variety of handy CodeQL utilities, from simple to complex.
-
CodeQL Extractor Helpers
- codeql-extractor-action - specify a CodeQL extractor to be used in your workflows as an author of an Extractor.
Programming Languages
Categories
CodeQL Query Writing
18
CodeQL Actions Helpers
11
CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))
9
CodeQL Extractors
7
CodeQL Query Writing Documentation
5
CodeQL Containers
5
CodeQL SARIF
5
CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)
4
CodeQL CLI Tooling
4
CodeQL Installers
4
CodeQL Tooling (Bundles + Packs)
3
CodeQL Query Suites
3
CodeQL Monorepo Actions Samples
3
CodeQL Troubleshooting
3
CodeQL Enforcement
2
CodeQL Queries/Bundles
2
CodeQL Samples
2
Why
1
CodeQL Extractor Helpers
1
CodeQL Customizations
1
CodeQL Libraries
1
CodeQL Configuration Documentation
1
Sub Categories
Keywords
codeql
11
code-scanning
4
gh-extension
3
advanced-security
2
actions
2
ghas
2
sarif
2
jupyter
1
powershell
1
github
1
vue
1
typescript
1
shieldsio
1
shields-io
1
shields
1
shield
1
readme-badges
1
readme-badge
1
nodejs
1
markdown-badges
1
markdown
1
javascript
1
documentation-tool
1
documentation-generator
1
docs-generator
1
boilerplate
1
badge-generator
1
badge
1
containers
1
codescanning
1
sast
1
github-actions
1
semmle
1
quality-ql-pack
1
docker
1
codeql-queries
1
codeql-container
1
codeql-command
1
codeql-cli
1
react-components
1
react
1
github-advanced-security
1
security
1
misra
1
iso26262
1
functional-safety
1
cpp14
1
coding-standards
1
code-scanning-ready
1
cert
1