Does CodeQL require a build for all languages?

No, interpreted languages like Python and JavaScript do not require a build, but compiled languages like C++, Java, and Rust require a successful compilation step to create the CodeQL database.

What output formats are supported for analysis results?

The skill can generate results in SARIF-latest and CSV formats, which are compatible with GitHub Advanced Security and various other security dashboards.

Is CodeQL suitable for local development?

Absolutely. You can create local databases and run analysis on your local machine to find and fix vulnerabilities before they are ever committed to a repository.

Can I use custom queries with this skill?

Yes, the skill supports writing, testing, and running custom .ql queries and query packs, allowing you to target domain-specific or novel vulnerability patterns.

How does CodeQL differ from Semgrep?

CodeQL excels at complex, interprocedural data flow analysis across multiple files and functions, while Semgrep is faster and more lightweight for simpler, pattern-based matching within single files.

CodeQL Security Analysis

Name: CodeQL Security Analysis
Author: fjor1025

byfjor1025

0•

보안 및 테스팅

Performs deep static analysis to identify security vulnerabilities, track data flow, and perform taint analysis across complex codebases.

This skill enables Claude to leverage CodeQL, the industry-standard semantic code analysis engine, to discover security flaws that simple pattern-matching tools often miss. By modeling code as a database, it performs advanced interprocedural data flow and taint tracking to trace untrusted inputs from sources to dangerous sinks across multiple function calls and files. It is an essential tool for conducting thorough security audits, setting up automated CI/CD security pipelines, and writing custom QL queries to detect domain-specific vulnerabilities in both compiled and interpreted languages.

주요 기능

010 GitHub stars

02GitHub Actions integration for automated security gates

03Interprocedural taint tracking and data flow analysis

04SARIF and CSV report generation for audit compliance

05Comprehensive security vulnerability detection for 10+ languages

06Custom .ql query development and testing environment

사용 사례

01Identifying SQL injection, XSS, and path traversal vulnerabilities via taint tracking

02Performing deep security audits on large, multi-file enterprise codebases

03Integrating automated static analysis (SAST) into CI/CD pipelines for shift-left security

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add fjor1025/infosec-framework codeql

For use in Claude.ai and ChatGPT

Download Skill