Official "Using a custom configuration file" Docs
- Specifying CodeQL query packs
- Specifying additional queries
- Disabling the default queries
- Specifying directories to scan
- Example configuration files
Specify a custom "QL Suite File" (.qls) for your CodeQL config to point to.
For this example:
- import: codeql-suites/javascript-code-scanning.qls
from: codeql-javascript
- exclude:
- id: js/cleartext-storage-file
- queries is the title to your QL Suite File
- import statement specifies the CodeQL Query Suite (language-code-scanning) default queries. You could also have javascript-security-extended or javascript-security-and-quality etc.
- exclude removes queries from the range
- id is associated with a specific query. You can find the query you'd like to remove by clicking on the CodeQL alert, clicking "view/query source" and using the @id tag on the CodeQL Query.
- javascript can be subbed for whatever language identifier you are targeting (cpp, java, python, etc.)
Here are the detailed "Creating CodeQL Query Suites" Docs. Here are the Docs on the query suites for each language.
Once you've checking in the new suite file, the "Specifiying Additional Queries" Official Docs" documents how to reference it in the code scanning config file.
Implementation from "Specifiying Additional Queries" Official Docs". In summary you have 2 new files and one change to your codeql-analysis.yml
:
- A new query suite ".qls" file checked into your repo, containing the "import... from... exclude..."
.github/codeql/javascript-custom-queries.qls
- import: codeql-suites/javascript-code-scanning.qls
from: codeql-javascript
- exclude:
- id: js/cleartext-storage-file
- A code scanning config file checked into your repo, as described in the official "using a custom config file" Docs, containing "disable-default-queries: true" and a reference to your ".qls" file within the repo
.github/codeql/codeql-config.yml
name: "CodeQL code scanning custom configuration"
disable-default-queries: true
queries:
- name: Use the custom query suite file from this repo
uses: ./.github/codeql/javascript-custom-queries.qls
- An actions workflow that runs CodeQL, pointing to your code scanning config file in the "github/codeql-action/init" step
.github/workflows/codeql-analysis.yml
...as before
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
...as before