- Part of the May 2021 code scanning hackathon.
- Part of the October 2021 code scanning hackathon.
Under development.
TLDR: View https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts periodically.
The nightly-changes-alerts branch contains nightly snapshots of QL related code from github/codeql and github/codeql-go. The corresponding code-scanning alerts are from the default query suite.
The branch and alerts are updated every night by the nightly-changes.yml workflow.
Ideally, the scans would happen automatically as part of the PRs. That requires more coordination, and is tracked here: https://github.com/github/codeql-coreql-team/issues/1669.
Install Rust (if using VSCode, you may also want the rust-analyzer extension), then run:
cargo build --releaseThe generated ql/src/ql.dbscheme and ql/src/codeql_ql/ast/internal/TreeSitter.qll files are included in the repository, but they can be re-generated as follows:
./create-extractor-pack.shFirst, get an extractor pack:
Run ./create-extractor-pack.sh (Linux/Mac) or .\create-extractor-pack.ps1 (Windows PowerShell) and the pack will be created in the extractor-pack directory.
Then run
codeql database create <database-path> -l ql -s <project-source-path> --search-path <extractor-pack-path>Run
codeql test run <test-path> --search-path <repository-root-path>In addition to the above nightly scans of the known CodeQL repositories, the following Actions are of particular interest:
bleeding-codeql-analysis.yml- runs on all PRs, displays how alerts for the known CodeQL repositories change as consequence of the PR
- the code from the known CodeQL repositories should be updated occasionally by running
repo-tests/import-repositories.shlocally, and creating a PR. - produces an artifact built
qldatabase in
build.yml- produces an artifact with the
qlextractor and theqlquery pack in
- produces an artifact with the