A curated list of CodeQL resources.

• GitHub Security Lab - From trying out CodeQL to secure your own code to collecting bug bounties by securing others', here are a few ways we can keep the world's software safe, together.
• testing-handbook - The Trail of Bits Testing Handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools used at Trail of Bits.

• grab_ql - Grab some/all of CodeQL CLI binary, QL library, VSCode starter workspace, VSCode and VSCode QL extension
• codeql-anywhere - Put the power of CodeQL in your pocket, take it with you to any CI 🚀
• codeql-jupyter-kernel - Jupyter Kernel for CodeQL

• gh-codeql - GitHub CLI extension for working with CodeQL
• gh-codeql-scan - GH CLI CodeQL Scan Extension
• gh-mrva - Multi-repo variant analysis CLI support

• codeql-summarize - CodeQL Summary Generator to generate Models as Data (MaD) from CodeQL databases.

• GitHub-maintained packages
• GitHub Security Lab community - Collection of community-driven CodeQL query, library and extension packages
• Trail of Bits - codeql-queries - CodeQL queries and packs developed by Trail of Bits
• GitHub codeql-coding-standards - This repository contains CodeQL queries and libraries which support various Coding Standards. (AUTOSAR C++, CERT-C++,CERT C, MISRA C)

• codeql-bundle-action - Action to retrofit a CodeQL bundle with additional queries, libraries, and customizations
• codeql-bunldle - CLI to build a custom CodeQL bundle
• gh-tailor - A tool for customizing CodeQL packs.

• Microsoft solorigate queries
• GitHub codeql-coding-standards-bundle-releases - CodeQL bundles containing the CodeQL Coding Standards queries

• Only Critical Queries sample .qls
• OWASP Top 10 CWE Only .qls
• CodeQL per Suite Query list - download the attached code-scanning-query-list.csv artifact.

• CodeQL Build Failure Troubleshooting
• GitHub SARIF Upload Troubleshooting
• CodeQL Coding Standards - Hazard and risk analysis

• parallel-code-scanning - An example of a GitHub Actions workflow showing how code scanning with CodeQL can be parallelized on monorepos.
• multi-lang-monorepo - A repo that demonstrates using an Actions workflow Job matrix to run parallel CodeQL scans on applications in a monorepo.

• set-codeql-language-matrix - Automatically set the CodeQL matrix job using the languages in your repository.
• filter-sarif - GitHub Action for filtering Code Scanning alerts by path and id
• sarif-toolkit - Allows users to split up SARIF files that use submodules into multiple SARIF files that are then published to there appropriate repositories.
• codeql-debug - Add this action to an existing CodeQL analysis workflow to generate an html report
• dismiss-alerts - Dismisses GitHub Code Scanning alerts from //codeql[supress reason] style comments on the default branch
• adjust-cvss - Adjust the severity of the CVSS score assigned to a result in SARIF file
• codeql-sarif-security-standard-annotator - Add an owasp-top10-2021 tag to relevant results
• delombok - Delombok Java Code for analysis with Code Scanning (deprecated - now supported by CodeQL)
• badge-generator - Magically generate Markdown badges for your docs 🛡️ 🦡 🧙

• Visual Studio SARIF Viewer - Visual Studio Static Analysis Results Interchange Format (SARIF) log file viewer
• VSCode SARIF Viewer - Adds support for viewing SARIF logs in Visual Studio Code
• IntelliJ SARIF Viewer
• SARIF Viewer Web Component
• psastras/sarif-rs-sarif-fmt - This crate provides a command line tool to pretty print SARIF files to easy human readable output.

• codeql-docker - CodeQL Docker image
• codeql-container - Prepackaged and precompiled github codeql container for rapid analysis, deployment and development.
• codeql_container_example - Example showing CodeQL to scan containerized applications in GitHub Actions.
• codeql-container-builds - Blog walking through the complexities of implementing containerized CodeQL workloads sprinkled with bits of Kubernetes wisdom.

• advanced-security-enforcer - A GitHub action for organizations that enables advanced security code scanning on all new repos
• codeql-selective-analysis - Make CodeQL a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified

• codeql-extractor-iac - CodeQL Extractors, Library, and Queries for Infrastructure as Code

• sample-pipeline-files - This repository contains pipeline files for various CI/CD systems (AWS CodeBuild, Azure Devops, CircleCI, DroneCI, Jenkins, Tekton, Travis), illustrating how to integrate the CodeQL CLI Bundle for Automated Code Scanning
• Python Pickle - mapping a custom framework in python

• Custom Configuration File

• How to write CodeQL Queries
• CodeQL Language Guide
• QL Language reference
• CodeQL Standard Libraries
• CodeQL Query Help
• Full CodeQL Documentation

Contributions welcome! Read the contribution guidelines first.

What is an awesome list?