Skip to content

Instantly share code, notes, and snippets.

@bthomas2622

bthomas2622/codeql-custom-config.md Secret

Last active July 28, 2022 03:12
Show Gist options
  • Save bthomas2622/e520926b88ebb93e79b30f7f32ed4849 to your computer and use it in GitHub Desktop.
Save bthomas2622/e520926b88ebb93e79b30f7f32ed4849 to your computer and use it in GitHub Desktop.
Download ZIP
CodeQL Custom Configuration File
Raw
codeql-custom-config.md

Official "Using a custom configuration file" Docs

Using a custom CodeQL Configuration File

Configuration Options

Example: Run the JavaScript default queries but exclude the cleartext-storage-file query

Specify a custom "QL Suite File" (.qls) for your CodeQL config to point to.

For this example:

- import: codeql-suites/javascript-code-scanning.qls
  from: codeql-javascript
- exclude:
  - id: js/cleartext-storage-file
  • queries is the title to your QL Suite File
  • import statement specifies the CodeQL Query Suite (language-code-scanning) default queries. You could also have javascript-security-extended or javascript-security-and-quality etc.
  • exclude removes queries from the range
  • id is associated with a specific query. You can find the query you'd like to remove by clicking on the CodeQL alert, clicking "view/query source" and using the @id tag on the CodeQL Query.
  • javascript can be subbed for whatever language identifier you are targeting (cpp, java, python, etc.)

Here are the detailed "Creating CodeQL Query Suites" Docs. Here are the Docs on the query suites for each language.

Once you've checking in the new suite file, the "Specifiying Additional Queries" Official Docs" documents how to reference it in the code scanning config file.

Implementation from "Specifiying Additional Queries" Official Docs". In summary you have 2 new files and one change to your codeql-analysis.yml:

  1. A new query suite ".qls" file checked into your repo, containing the "import... from... exclude..."

.github/codeql/javascript-custom-queries.qls

- import: codeql-suites/javascript-code-scanning.qls
  from: codeql-javascript
- exclude:
  - id: js/cleartext-storage-file
  1. A code scanning config file checked into your repo, as described in the official "using a custom config file" Docs, containing "disable-default-queries: true" and a reference to your ".qls" file within the repo

.github/codeql/codeql-config.yml

name: "CodeQL code scanning custom configuration"
disable-default-queries: true
queries:
  - name: Use the custom query suite file from this repo
    uses: ./.github/codeql/javascript-custom-queries.qls
  1. An actions workflow that runs CodeQL, pointing to your code scanning config file in the "github/codeql-action/init" step

.github/workflows/codeql-analysis.yml

...as before

- name: Initialize CodeQL
  uses: github/codeql-action/init@v1
  with:
    languages: ${{ matrix.language }}
    config-file: ./.github/codeql/codeql-config.yml
    
...as before
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment