home / skills / personamanagmentlayer / pcl / codeql-expert

codeql-expert skill

needs review

This skill helps you master CodeQL for static analysis, custom query development, and CI/CD integration to detect vulnerabilities and enforce security

npx playbooks add skill personamanagmentlayer/pcl --skill codeql-expert

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

5.5 KB

---
name: codeql-expert
version: 1.0.0
description: Expert-level CodeQL for static analysis, vulnerability detection, and security code scanning
category: security
tags: [codeql, static-analysis, sast, vulnerability-detection, github-security]
allowed-tools:
  - Read
  - Write
  - Edit
  - Bash(codeql:*, gh:*)
---

# CodeQL Expert

Expert guidance for CodeQL static analysis, custom query development, vulnerability detection, and integration with CI/CD pipelines.

## Core Concepts

### CodeQL Overview
- Semantic code analysis engine
- Treats code as data (queryable database)
- Supports C/C++, C#, Go, Java, JavaScript/TypeScript, Python, Ruby
- Powers GitHub Code Scanning
- Custom query development with QL language

### CodeQL Workflow
1. Extract code to database
2. Write QL queries
3. Run analysis
4. Review results
5. Fix vulnerabilities
6. Integrate into CI/CD

### Query Types
- Security queries (vulnerabilities)
- Code quality queries (bugs, code smells)
- Compliance queries (coding standards)
- Custom queries (org-specific patterns)

## Installation & Setup

```bash
# Download CodeQL CLI
wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip codeql-linux64.zip
export PATH="$PATH:/path/to/codeql"

# Clone CodeQL queries
git clone https://github.com/github/codeql.git codeql-repo

# Verify
codeql --version
```

### Create Database

```bash
# JavaScript/TypeScript
codeql database create my-js-db --language=javascript

# Java (requires build)
codeql database create my-java-db \
  --language=java \
  --command="mvn clean package"

# Python
codeql database create my-python-db --language=python

# Multiple languages
codeql database create my-db --db-cluster --language=javascript,python
```

## Writing CodeQL Queries

### Basic Query Structure

```ql
/**
 * @name SQL Injection
 * @description Detects SQL injection vulnerabilities
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
 * @precision high
 * @id js/sql-injection
 * @tags security external/cwe/cwe-089
 */

import javascript
import semmle.javascript.security.dataflow.SqlInjectionQuery
import DataFlow::PathGraph

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
  "SQL query depends on $@.", source.getNode(), "user input"
```

### Find XSS Vulnerabilities

```ql
/**
 * @name Cross-site scripting
 * @kind path-problem
 */

import javascript
import semmle.javascript.security.dataflow.DomBasedXssQuery
import DataFlow::PathGraph

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
  "XSS vulnerability due to $@.", source.getNode(), "user input"
```

### Find Hardcoded Credentials

```ql
/**
 * @name Hardcoded credentials
 * @kind problem
 */

import javascript

from StringLiteral str, Variable v
where
  v.getAnAssignedExpr() = str and
  (
    v.getName().toLowerCase().matches("%password%") or
    v.getName().toLowerCase().matches("%apikey%") or
    v.getName().toLowerCase().matches("%secret%")
  ) and
  str.getValue().length() > 8 and
  not str.getValue().matches("TODO%")
select str, "Hardcoded credential: " + v.getName()
```

### Custom Taint Tracking

```ql
/**
 * @name Custom taint tracking
 */

import javascript
import semmle.javascript.dataflow.DataFlow

class CustomTaintTracking extends TaintTracking::Configuration {
  CustomTaintTracking() { this = "CustomTaintTracking" }

  override predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource
  }

  override predicate isSink(DataFlow::Node sink) {
    exists(CallExpr call |
      call.getCalleeName() in ["exec", "eval", "system"]
    |
      sink.asExpr() = call.getAnArgument()
    )
  }

  override predicate isSanitizer(DataFlow::Node node) {
    node = DataFlow::BarrierGuard<StringOps::Validation>::getABarrierNode()
  }
}

from CustomTaintTracking cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
  "Dangerous operation with $@.", source.getNode(), "user input"
```

## Running CodeQL

```bash
# Analyze database
codeql database analyze my-db \
  --format=sarif-latest \
  --output=results.sarif \
  codeql/javascript-queries:codeql-suites/javascript-security-extended.qls

# Run custom query
codeql query run my-query.ql --database=my-db --output=results.bqrs

# Convert to CSV
codeql bqrs decode results.bqrs --format=csv --output=results.csv
```

### GitHub Actions Integration

```yaml
name: CodeQL Analysis

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    strategy:
      matrix:
        language: ['javascript', 'python']

    steps:
      - uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          queries: +security-extended

      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
```

## Best Practices

- Start with built-in queries
- Test on small codebases first
- Optimize for performance
- Add clear documentation
- Tune to reduce false positives
- Integrate into CI/CD early

## Resources

- CodeQL Docs: https://codeql.github.com/docs/
- Queries: https://github.com/github/codeql
- Code Scanning: https://docs.github.com/en/code-security/code-scanning

Overview

This skill provides expert-level guidance for using CodeQL to perform static analysis, write custom QL queries, detect vulnerabilities, and integrate scans into CI/CD pipelines. It focuses on practical steps for extracting databases, creating tailored taint-tracking rules, and reducing false positives. The content is aimed at security engineers, SREs, and dev teams wanting repeatable, automated code scanning.

How this skill works

The skill explains the CodeQL workflow: extract a code database, author and run QL queries, review findings, and remediate issues. It covers built-in security queries and how to author custom path-problem and taint-tracking configurations. It also shows how to run analyses, convert results, and integrate CodeQL into GitHub Actions or other CI systems.

When to use it

When you need automated, semantic static analysis across multiple languages
When you want to write custom vulnerability checks or compliance queries
When integrating security scanning into CI/CD pipelines and pull requests
When hunting for taint-flow issues like SQLi, XSS, or command injection
When you need to reduce false positives with targeted configurations

Best practices

Start with built-in CodeQL query packs before writing custom QL
Test new queries on small sample databases to validate behavior
Use precise source/sink/sanitizer predicates to reduce false positives
Profile and optimize queries for performance on larger codebases
Document query intent, severity, and expected remediation steps
Integrate analysis into PR checks and gate critical branches

Example use cases

Detect SQL injection and DOM XSS in a JavaScript/TypeScript repo using path-problem queries
Create custom taint-tracking to flag unsafe exec/eval usage in Node services
Scan a polyglot repository by creating language-specific databases then analyzing them together
Automate CodeQL runs in GitHub Actions to block vulnerable PRs before merge
Convert BQRS results to CSV or SARIF for SOC dashboards and triage workflows

FAQ

Which languages does CodeQL support?

CodeQL supports C/C++, C#, Go, Java, JavaScript/TypeScript, Python, and Ruby.

How do I reduce false positives from custom queries?

Make source/sink predicates explicit, add sanitizer checks, test on representative samples, and tune severity and precision metadata.