← Back to list
codeql
by trailofbits
Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows
⭐ 1,725🍴 140📅 Jan 23, 2026
agent-skillsutility-developmenttool-buildingproductivity-enhancementworkflow-improvementintegration-support
Run in ManusUse Cases
⚡
Work Efficiency
Streamline daily tasks and improve productivity.
📋
Project Management
Assist with task management and project tracking.
👥
Team Collaboration
Improve team communication and collaboration.
SKILL.md
name: codeql description: Run CodeQL static analysis for security vulnerability detection, taint tracking, and data flow analysis. Use when asked to analyze code with CodeQL, create CodeQL databases, write custom QL queries, perform security audits, or set up CodeQL in CI/CD pipelines. allowed-tools:
- Bash
- Read
- Glob
- Grep
CodeQL Static Analysis
When to Use CodeQL
Ideal scenarios:
- Source code access with ability to build (for compiled languages)
- Open-source projects or GitHub Advanced Security license
- Need for interprocedural data flow and taint tracking
- Finding complex vulnerabilities requiring AST/CFG analysis
- Comprehensive security audits where analysis time is not critical
Consider Semgrep instead when:
- No build capability for compiled languages
- Licensing constraints
- Need fast, lightweight pattern matching
- Simple, single-file analysis is sufficient
Why Interprocedural Analysis Matters
Simple grep/pattern tools only see one function at a time. Real vulnerabilities often span multiple functions:
HTTP Handler → Input Parser → Business Logic → Database Query
↓ ↓ ↓ ↓
source transforms passes sink (SQL)
CodeQL tracks data flow across all these steps. A tainted input in the handler can be traced through 5+ function calls to find where it reaches a dangerous sink.
Pattern-based tools miss this because they can't connect request.param in file A to db.execute(query) in file B.
When NOT to Use
Do NOT use this skill for:
- Projects that cannot be built (CodeQL requires successful compilation for compiled languages)
- Quick pattern searches (use Semgrep or grep for speed)
- Non-security code quality checks (use linters instead)
- Projects without source code access
Environment Check
# Check if CodeQL is installed
command -v codeql >/dev/null 2>&1 && echo "CodeQL: installed" || echo "CodeQL: NOT installed (run install steps below)"
Installation
CodeQL CLI
# macOS/Linux (Homebrew)
brew install --cask codeql
# Update
brew upgrade codeql
Manual: Download bundle from https://github.com/github/codeql-action/releases
Trail of Bits Queries (Optional)
Install public ToB security queries for additional coverage:
# Download ToB query packs
codeql pack download trailofbits/cpp-queries trailofbits/go-queries
# Verify installation
codeql resolve qlpacks | grep trailofbits
Core Workflow
1. Create Database
codeql database create codeql.db --language=<LANG> [--command='<BUILD>'] --source-root=.
| Language | --language= | Build Required |
|---|---|---|
| Python | python | No |
| JavaScript/TypeScript | javascript | No |
| Go | go | No |
| Ruby | ruby | No |
| Rust | rust | Yes (--command='cargo build') |
| Java/Kotlin | java | Yes (--command='./gradlew build') |
| C/C++ | cpp | Yes (--command='make -j8') |
| C# | csharp | Yes (--command='dotnet build') |
| Swift | swift | Yes (macOS only) |
2. Run Analysis
# List available query packs
codeql resolve qlpacks
Run security queries:
# SARIF output (recommended)
codeql database analyze codeql.db \
--format=sarif-latest \
--output=results.sarif \
-- codeql/python-queries:codeql-suites/python-security-extended.qls
# CSV output
codeql database analyze codeql.db \
--format=csv \
--output=results.csv \
-- codeql/javascript-queries
With Trail of Bits queries (if installed):
codeql database analyze codeql.db \
--format=sarif-latest \
--output=results.sarif \
-- trailofbits/go-queries
Writing Custom Queries
Query Structure
CodeQL uses SQL-like syntax: from Type x where P(x) select f(x)
Basic Template
/**
* @name Find SQL injection vulnerabilities
* @description Identifies potential SQL injection from user input
* @kind path-problem
* @problem.severity error
* @security-severity 9.0
* @precision high
* @id py/sql-injection
* @tags security
* external/cwe/cwe-089
*/
import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// Define taint sources (user input)
exists(source)
}
predicate isSink(DataFlow::Node sink) {
// Define dangerous sinks (SQL execution)
exists(sink)
}
}
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink
where SqlInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "SQL injection from $@.", source.getNode(), "user input"
Query Metadata
| Field | Description | Values |
|---|---|---|
@kind | Query type | problem, path-problem |
@problem.severity | Issue severity | error, warning, recommendation |
@security-severity | CVSS score | 0.0 - 10.0 |
@precision | Confidence | very-high, high, medium, low |
Key Language Features
// Predicates
predicate isUserInput(DataFlow::Node node) {
exists(Call c | c.getFunc().(Attribute).getName() = "get" and node.asExpr() = c)
}
// Transitive closure: + (one or more), * (zero or more)
node.getASuccessor+()
// Quantification
exists(Variable v | v.getName() = "password")
forall(Call c | c.getTarget().hasName("dangerous") | hasCheck(c))
Creating Query Packs
codeql pack init myorg/security-queries
Structure:
myorg-security-queries/
├── qlpack.yml
├── src/
│ └── SqlInjection.ql
└── test/
└── SqlInjectionTest.expected
qlpack.yml:
name: myorg/security-queries
version: 1.0.0
dependencies:
codeql/python-all: "*"
CI/CD Integration (GitHub Actions)
name: CodeQL Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
language: ['python', 'javascript']
steps:
- uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
# Add custom queries/packs:
# queries: security-extended,./codeql/custom-queries
# packs: trailofbits/python-queries
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Testing Queries
codeql test run test/
Test file format:
def vulnerable():
user_input = request.args.get("q") # Source
cursor.execute("SELECT * FROM users WHERE id = " + user_input) # Alert: sql-injection
def safe():
user_input = request.args.get("q")
cursor.execute("SELECT * FROM users WHERE id = ?", (user_input,)) # OK
Troubleshooting
| Issue | Solution |
|---|---|
| Database creation fails | Clean build environment, verify build command works independently |
| Slow analysis | Use --threads, narrow query scope, check query complexity |
| Missing results | Check file exclusions, verify source files were parsed |
| Out of memory | Set CODEQL_RAM=48000 environment variable (48GB) |
| CMake source path issues | Adjust --source-root to point to actual source location |
Rationalizations to Reject
| Shortcut | Why It's Wrong |
|---|---|
| "No findings means the code is secure" | CodeQL only finds patterns it has queries for; novel vulnerabilities won't be detected |
| "This code path looks safe" | Complex data flow can hide vulnerabilities across 5+ function calls; trace the full path |
| "Small change, low risk" | Small changes can introduce critical bugs; run full analysis on every change |
| "Tests pass so it's safe" | Tests prove behavior, not absence of vulnerabilities; they test expected paths, not attacker paths |
| "The query didn't flag it" | Default query suites don't cover everything; check if custom queries are needed for your domain |
Resources
- Docs: https://codeql.github.com/docs/
- Query Help: https://codeql.github.com/codeql-query-help/
- Security Lab: https://securitylab.github.com/
- Trail of Bits Queries: https://github.com/trailofbits/codeql-queries
- VSCode Extension: "CodeQL" for query development
Score
Total Score
95/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
✓説明文
100文字以上の説明がある
+10
✓人気
GitHub Stars 1000以上
+15
✓最近の活動
1ヶ月以内に更新
+10
✓フォーク
10回以上フォークされている
+5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
