CodeQL Community Packs

Collection of community-driven CodeQL query, library and extension packs

Getting started

Default query suites

Using a githubsecuritylab/codeql-LANG-queries query pack will reference the default suite for that pack (e.g. python.qls for python). However, you may use a different suite such as python-audit.qls by referencing the query pack with the following syntax: githubsecuritylab/codeql-python-queries:suites/python-audit.qls. The examples below work for both syntaxes.

Using a community pack from the CodeQL Action

Important

For language aliases in strategy.matrix.language, use cpp instead of c-cpp, java instead of java-kotlin and javascript instead of javascript-typescript.

- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    packs: githubsecuritylab/codeql-${{ matrix.language }}-queries

Using community packs with provided configuration file

This repository has a number of provided configuration files you can use or copy from the community packs.

- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/default.yml@main

Using a community pack from the CLI configuration file

$ cat codeql-config.yml | grep -A 1 'packs:'
packs:
  - githubsecuritylab/codeql-python-queries

Using a community pack from the CodeQL CLI

codeql database analyze db/ --download githubsecuritylab/codeql-python-queries --format=sarif-latest --output=results.sarif

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Support

Please create GitHub issues for any feature requests, bugs, or documentation problems.