Skip to content

advanced-security/awesome-codeql

Repository files navigation

Awesome Codeql Awesome

A curated list of CodeQL resources.

CodeQL Getting Started and Guides (along side the official docs)

  • GitHub Security Lab - From trying out CodeQL to secure your own code to collecting bug bounties by securing others', here are a few ways we can keep the world's software safe, together.
  • testing-handbook - The Trail of Bits Testing Handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools used at Trail of Bits.

CodeQL Installers

  • grab_ql - Grab some/all of CodeQL CLI binary, QL library, VSCode starter workspace, VSCode and VSCode QL extension
  • codeql-anywhere - Put the power of CodeQL in your pocket, take it with you to any CI 🚀
  • codeql-jupyter-kernel - Jupyter Kernel for CodeQL

CodeQL CLI Tooling

  • gh-codeql - GitHub CLI extension for working with CodeQL
  • gh-codeql-scan - GH CLI CodeQL Scan Extension
  • gh-mrva - Multi-repo variant analysis CLI support

CodeQL Customizations

  • codeql-summarize - CodeQL Summary Generator to generate Models as Data (MaD) from CodeQL databases.

CodeQL Packs

CodeQL Tooling (Bundles + Packs)

  • codeql-bundle-action - Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations
  • codeql-bunldle - CLI to build a custom CodeQL bundle
  • gh-tailor - A tool for customizing CodeQL packs.

CodeQL Queries/Bundles

CodeQL Query Suites

CodeQL Troubleshooting

CodeQL Actions Samples

  • parallel-code-scanning - An example of a GitHub Actions workflow showing how code scanning with CodeQL can be parallelized on monorepos.
  • multi-lang-monorepo - A repo that demonstrates using an Actions workflow Job matrix to run parallel CodeQL scans on applications in a monorepo.

CodeQL Actions Helpers

  • set-codeql-language-matrix - Automatically set the CodeQL matrix job using the languages in your repository.
  • filter-sarif - GitHub Action for filtering Code Scanning alerts by path and id
  • sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
  • codeql-debug - Add this action to an existing CodeQL analysis workflow to generate an html report
  • dismiss-alerts - Dismisses GitHub Code Scanning alerts from //codeql[supress reason] style comments on the default branch
  • adjust-cvss - Adjust the severity of the CVSS score assigned to a result in SARIF file
  • codeql-sarif-security-standard-annotator - Add an owasp-top10-2021 tag to relevant results
  • delombok - Delombok Java Code for analysis with Code Scanning (deprecated - now supported by CodeQL)
  • badge-generator - CodeQL Magically generate Markdown badges for your docs 🛡️ 🦡 🧙

CodeQL SARIF

CodeQL Containers

  • codeql-docker - CodeQL Docker image
  • codeql-container - Prepackaged and precompiled github codeql container for rapid analysis, deployment and development.
  • codeql_container_example - Example showing CodeQL to scan containerized applications in GitHub Actions.
  • codeql-container-builds - Blog walking through the complexities of implementing containerized CodeQL workloads sprinkled with bits of Kubernetes wisdom.

CodeQL Enforcement

  • advanced-security-enforcer - A GitHub action for organizations that enables advanced security code scanning on all new repos
  • codeql-selective-analysis - Make CodeQL a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified

CodeQL Extractors

CodeQL Samples

  • sample-pipeline-files - This repository contains pipeline files for various CI/CD systems (AWS CodeBuild, Azure Devops, CircleCI, DroneCI, Jenkins, Tekton, Travis), illustrating how to integrate the CodeQL CLI Bundle for Automated Code Scanning
  • Python Pickle - mapping a custom framework in python

CodeQL Configuration Documentation

CodeQL Query Writing

Documentation

Blogs

YouTube learning

Contribute

Contributions welcome! Read the contribution guidelines first.

Why

What is an awesome list?

About

A curated list of awesome CodeQL resources.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Contributors 3

  •  
  •  
  •