Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan",…
CodeQL Analysis
Supported languages: Python, JavaScript/TypeScript, Go, Java/Kotlin, C/C++, C#, Ruby, Swift.
Skill resources: Reference files and templates are located at {baseDir}/references/ and {baseDir}/workflows/.
Essential Principles
Database quality is non-negotiable. A database that builds is not automatically good. Always run quality assessment (file counts, baseline LoC, extractor errors) and compare against expected source files. A cached build produces zero useful extraction.
Data extensions catch what CodeQL misses. Even projects using standard frameworks (Django, Spring, Express) have custom wrappers around database calls, request parsing, or shell execution. Skipping the create-data-extensions workflow means missing vulnerabilities in project-specific code paths.
Explicit suite references prevent silent query dropping. Never pass pack names directly to codeql database analyze — each pack's defaultSuiteFile applies hidden filters that can produce zero results. Always generate a custom .qls suite file.
Zero findings needs investigation, not celebration. Zero results can indicate poor database quality, missing models, wrong query packs, or silent suite filtering. Investigate before reporting clean.
macOS Apple Silicon requires workarounds for compiled languages. Exit code 137 is arm64e/arm64 mismatch, not a build failure. Try Homebrew arm64 tools or Rosetta before falling back to build-mode=none.
Follow workflows step by step. Once a workflow is selected, execute it step by step without skipping phases. Each phase gates the next — skipping quality assessment or data extensions leads to incomplete analysis.don't have the plugin yet? install it then click "run inline in claude" again.
added explicit inputs (cli, build tools, db location, suite files, external connections), numbered 8-step procedure with input/output per step, decision logic for unclear builds/arm64 failures/zero findings, detailed output contract with file locations and invariants, outcome signals with verification method.
run interprocedural security vulnerability scanning across Python, JavaScript/TypeScript, Go, Java/Kotlin, C/C++, C#, Ruby, and Swift codebases using CodeQL's data flow analysis. use this skill when you need to find SQL injection, command injection, path traversal, XSS, or other taint-based vulnerabilities that span multiple functions or modules. the skill enforces database quality checks, custom data extensions for project-specific APIs, and explicit query suite references to avoid silent filtering and false negatives.
codeql cli
codeql --versionsource code repository
language-specific build tools
codeql database location
codeql database create will write (typically ./codeql-db-<lang>)query suite files
{baseDir}/queries/ or {baseDir}/references/security-and-quality.qls instead of codeql/python-queriesexternal connections
GITHUB_TOKEN)SARIF_ENDPOINT)reference materials
{baseDir}/workflows/ (e.g., build-analyze-python.sh){baseDir}/references/select language and confirm build method
codeql resolve languages and language-specific docscreate codeql database
codeql database create --language=<lang> --source-root=<path> --build-mode=auto <dbpath>--build-mode=none or use rosetta<dbpath>--build-mode=none (source-based extraction only; some languages less precise)assess database quality
codeql database info <dbpath> and codeql database analyze <dbpath> --format=json --output=quality.json codeql/python-queries (substitute language)create data extensions for custom code paths
{baseDir}/references/data-extensions/codeql database index-files <dbpath> --additional-packs=<ext-pack-dir>generate explicit query suite file
{baseDir}/queries/security-and-quality.qlscodeql-python/ql/src/Security/CWE-089/SqlInjection.ql)codeql/python-queries) directly to analyze; packs apply hidden defaultSuiteFile filters- query: Security/CWE-089/SqlInjection.ql
- query: Security/CWE-078/CommandInjection.ql
run analysis with explicit suite reference
codeql database analyze <dbpath> --format=sarif-latest --output=results.sarif <suite-file.qls>investigate zero findings
--verbose flagprocess and deliver sarif results
curl -X POST <SARIF_ENDPOINT> -d @results.sarifif build method is unclear:
codeql resolve languages and consult language-specific extractor docs--build-mode=none (source-only extraction; less precise but will complete)if database build fails with exit 137 on arm64 macos:
arch -x86_64 codeql database create ...--build-mode=noneif database quality check fails (low file count or many extractor errors):
if zero findings after analysis:
--verbose to confirm suite applied correctlyif custom data extensions needed:
if sarif upload fails (network timeout, auth error, endpoint down):
codeql database
<dbpath> specified in step 2quality report
quality.json from step 3data extensions (if applicable)
{baseDir}/references/data-extensions/ or custom pack directoryquery suite file
{baseDir}/queries/security-and-quality.qlssarif results
results.sarif from step 6investigation summary (if zero findings)
investigation.txt