advanced-security/gh-codeql-scan

GH CLI CodeQL Scan Extension

gh-codeql-scan

GitHub CLI CodeQL Scan Extension to help abstract CodeQL away from users.

Requirements

• GitHub CLI

Install and Setup

This installs CodeQL and this scan tool:

gh extensions install github/gh-codeql
gh extensions install advanced-security/gh-codeql-scan

gh codeql-scan --help

A couple of tips and tricks:

# Create an alias to make things even easier
alias codeql-scan="gh codeql-scan"

Usage

The main use of the script is to automatically run CodeQL in a number of modes.

# End-to-end analysis and upload results
gh codeql-scan

# `init` mode: Create only the Codeql database
gh codeql-scan init --auto-detect
# or manually set language
gh codeql-scan init -l=java 

# Compiled languages -  pass in build command
gh codeql-scan -c "mvn build ..."

# Compiled languages - complicated build process using indirect build tracing
gh codeql-scan init
echo "password=$password" > settings.xml
mvn build --random-custom=flags
gh codeql-scan analyze

# `analyze` mode: Run query-suites on an existing database (auto-detects databases)
gh codeql-scan analyze

# `upload` mode: Upload all SARIF files
gh codeql-scan upload

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Maintainers

• @GeekMasher

Support

Support is via GitHub Issues

Acknowledgement