How does CodeQL differ from tools like Semgrep?

While Semgrep is excellent for fast, single-file pattern matching, CodeQL is designed for complex, interprocedural analysis that tracks how data and control flow move across an entire application.

Can I create custom security rules with this skill?

Yes, you can write and execute custom .ql queries to find specific logic flaws or security issues unique to your project's architecture.

Do I need to build my project to use CodeQL?

Yes, for compiled languages like C++ or Java, CodeQL typically hooks into the build process to capture a complete representation of the code; interpreted languages like Python do not require a build.

Which programming languages does CodeQL support?

CodeQL currently supports major languages including C/C++, Java/Kotlin, JavaScript/TypeScript, Python, Go, Ruby, and Swift.

CodeQL is a powerful static analysis engine that treats code as data, allowing you to query your codebase for complex patterns and security vulnerabilities using a specialized query language.

CodeQL Static Analysis

Name: CodeQL Static Analysis
Author: fjor1025

byfjor1025

0•

安全与测试

Performs deep interprocedural static analysis and security vulnerability scanning by querying codebases as relational databases.

The CodeQL skill empowers developers and security researchers to perform advanced semantic analysis of codebases directly within the Claude environment. By treating source code as a searchable database, it enables sophisticated interprocedural data flow and control flow tracking that goes far beyond simple pattern matching. This skill is ideal for identifying complex security vulnerabilities, enforcing custom architectural rules, and performing deep-dive audits across multiple files. It supports a wide range of languages including C/C++, Java, Python, Go, and JavaScript, providing standardized SARIF output for easy integration into existing security workflows.

主要功能

01Access to a vast library of pre-built security query packs

020 GitHub stars

03Interprocedural data flow and control flow analysis across entire codebases

04Standardized SARIF output for seamless integration with IDEs and CI/CD pipelines

05Automated database creation for C/C++, Java, Go, Python, and JavaScript/TypeScript

06Custom QL query support for defining domain-specific security rules

使用场景

01Automated security auditing to identify complex vulnerabilities like SQL injection or memory corruption

02Mapping sensitive data flow through large, complex applications during architectural reviews

03Enforcing internal coding standards and preventing the reintroduction of known bug patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add fjor1025/infosec-framework codeql

For use in Claude.ai and ChatGPT

Download Skill