{"id":"06eab953-3c2c-485f-96c4-0c3787573cd1","shortId":"d6xzJJ","kind":"skill","title":"codeql","tagline":"Comprehensive guide for setting up and configuring CodeQL code scanning via GitHub Actions workflows and the CodeQL CLI. This skill should be used when users need help with code scanning configuration, CodeQL workflow files, CodeQL CLI commands, SARIF output, security analysis se","description":"# CodeQL Code Scanning\n\nThis skill provides procedural guidance for configuring and running CodeQL code scanning — both through GitHub Actions workflows and the standalone CodeQL CLI.\n\n## When to Use This Skill\n\nUse this skill when the request involves:\n\n- Creating or customizing a `codeql.yml` GitHub Actions workflow\n- Choosing between default setup and advanced setup for code scanning\n- Configuring CodeQL language matrix, build modes, or query suites\n- Running CodeQL CLI locally (`codeql database create`, `database analyze`, `github upload-results`)\n- Understanding or interpreting SARIF output from CodeQL\n- Troubleshooting CodeQL analysis failures (build modes, compiled languages, runner requirements)\n- Setting up CodeQL for monorepos with per-component scanning\n- Configuring dependency caching, custom query packs, or model packs\n\n## Supported Languages\n\nCodeQL supports the following language identifiers:\n\n| Language | Identifier | Alternatives |\n|---|---|---|\n| C/C++ | `c-cpp` | `c`, `cpp` |\n| C# | `csharp` | — |\n| Go | `go` | — |\n| Java/Kotlin | `java-kotlin` | `java`, `kotlin` |\n| JavaScript/TypeScript | `javascript-typescript` | `javascript`, `typescript` |\n| Python | `python` | — |\n| Ruby | `ruby` | — |\n| Rust | `rust` | — |\n| Swift | `swift` | — |\n| GitHub Actions | `actions` | — |\n\n> Alternative identifiers are equivalent to the standard identifier (e.g., `javascript` does not exclude TypeScript analysis).\n\n## Core Workflow — GitHub Actions\n\n### Step 1: Choose Setup Type\n\n- **Default setup** — Enable from repository Settings → Advanced Security → CodeQL analysis. Best for getting started quickly. Uses `none` build mode for most languages.\n- **Advanced setup** — Create a `.github/workflows/codeql.yml` file for full control over triggers, build modes, query suites, and matrix strategies.\n\nTo switch from default to advanced: disable default setup first, then commit the workflow file.\n\n### Step 2: Configure Workflow Triggers\n\nDefine when scanning runs:\n\n```yaml\non:\n push:\n branches: [main, protected]\n pull_request:\n branches: [main]\n schedule:\n - cron: '30 6 * * 1' # Weekly Monday 6:30 UTC\n```\n\n- `push` — scans on every push to specified branches; results appear in Security tab\n- `pull_request` — scans PR merge commits; results appear as PR check annotations\n- `schedule` — periodic scans of the default branch (cron must exist on default branch)\n- `merge_group` — add if repository uses merge queues\n\nTo skip scans for documentation-only PRs:\n\n```yaml\non:\n pull_request:\n paths-ignore:\n - '**/*.md'\n - '**/*.txt'\n```\n\n> `paths-ignore` controls whether the workflow runs, not which files are analyzed.\n\n### Step 3: Configure Permissions\n\nSet least-privilege permissions:\n\n```yaml\npermissions:\n security-events: write # Required to upload SARIF results\n contents: read # Required to checkout code\n actions: read # Required for private repos using codeql-action\n```\n\n### Step 4: Configure Language Matrix\n\nUse a matrix strategy to analyze each language in parallel:\n\n```yaml\njobs:\n analyze:\n name: Analyze (${{ matrix.language }})\n runs-on: ubuntu-latest\n strategy:\n fail-fast: false\n matrix:\n include:\n - language: javascript-typescript\n build-mode: none\n - language: python\n build-mode: none\n```\n\nFor compiled languages, set the appropriate `build-mode`:\n- `none` — no build required (supported for C/C++, C#, Java, Rust)\n- `autobuild` — automatic build detection\n- `manual` — custom build commands (advanced setup only)\n\n> For detailed per-language autobuild behavior and runner requirements, search `references/compiled-languages.md`.\n\n### Step 5: Configure CodeQL Init and Analysis\n\n```yaml\nsteps:\n - name: Checkout repository\n uses: actions/checkout@v4\n\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n build-mode: ${{ matrix.build-mode }}\n queries: security-extended\n dependency-caching: true\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@v4\n with:\n category: \"/language:${{ matrix.language }}\"\n```\n\n**Query suite options:**\n- `security-extended` — default security queries plus additional coverage\n- `security-and-quality` — security plus code quality queries\n- Custom query packs via `packs:` input (e.g., `codeql/javascript-queries:AlertSuppression.ql`)\n\n**Dependency caching:** Set `dependency-caching: true` on the `init` action to cache restored dependencies across runs.\n\n**Analysis category:** Use `category` to distinguish SARIF results in monorepos (e.g., per-language, per-component).\n\n### Step 6: Monorepo Configuration\n\nFor monorepos with multiple components, use the `category` parameter to separate SARIF results:\n\n```yaml\ncategory: \"/language:${{ matrix.language }}/component:frontend\"\n```\n\nTo restrict analysis to specific directories, use a CodeQL configuration file (`.github/codeql/codeql-config.yml`):\n\n```yaml\npaths:\n - apps/\n - services/\npaths-ignore:\n - node_modules/\n - '**/test/**'\n```\n\nReference it in the workflow:\n\n```yaml\n- uses: github/codeql-action/init@v4\n with:\n config-file: .github/codeql/codeql-config.yml\n```\n\n### Step 7: Manual Build Steps (Compiled Languages)\n\nIf `autobuild` fails or custom build commands are needed:\n\n```yaml\n- language: c-cpp\n build-mode: manual\n```\n\nThen add explicit build steps between `init` and `analyze`:\n\n```yaml\n- if: matrix.build-mode == 'manual'\n name: Build\n run: |\n make bootstrap\n make release\n```\n\n## Core Workflow — CodeQL CLI\n\n### Step 1: Install the CodeQL CLI\n\nDownload the CodeQL bundle (includes CLI + precompiled queries):\n\n```bash\n# Download from https://github.com/github/codeql-action/releases\n# Extract and add to PATH\nexport PATH=\"$HOME/codeql:$PATH\"\n\n# Verify installation\ncodeql resolve packs\ncodeql resolve languages\n```\n\n> Always use the CodeQL bundle, not a standalone CLI download. The bundle ensures query compatibility and provides precompiled queries for better performance.\n\n### Step 2: Create a CodeQL Database\n\n```bash\n# Single language\ncodeql database create codeql-db \\\n --language=javascript-typescript \\\n --source-root=src\n\n# Multiple languages (cluster mode)\ncodeql database create codeql-dbs \\\n --db-cluster \\\n --language=java,python \\\n --command=./build.sh \\\n --source-root=src\n```\n\nFor compiled languages, provide the build command via `--command`.\n\n### Step 3: Analyze the Database\n\n```bash\ncodeql database analyze codeql-db \\\n javascript-code-scanning.qls \\\n --format=sarif-latest \\\n --sarif-category=javascript \\\n --output=results.sarif\n```\n\nCommon query suites: `-code-scanning.qls`, `-security-extended.qls`, `-security-and-quality.qls`.\n\n### Step 4: Upload Results to GitHub\n\n```bash\ncodeql github upload-results \\\n --repository=owner/repo \\\n --ref=refs/heads/main \\\n --commit= \\\n --sarif=results.sarif\n```\n\nRequires `GITHUB_TOKEN` environment variable with `security-events: write` permission.\n\n### CLI Server Mode\n\nTo avoid repeated JVM initialization when running multiple commands:\n\n```bash\ncodeql execute cli-server\n```\n\n> For detailed CLI command reference, search `references/cli-commands.md`.\n\n## Alert Management\n\n### Severity Levels\n\nAlerts have two severity dimensions:\n- **Standard severity:** `Error`, `Warning`, `Note`\n- **Security severity:** `Critical`, `High`, `Medium`, `Low` (derived from CVSS scores; takes display precedence)\n\n### Copilot Autofix\n\nGitHub Copilot Autofix generates fix suggestions for CodeQL alerts in pull requests automatically — no Copilot subscription required. Review suggestions carefully before committing.\n\n### Alert Triage in PRs\n\n- Alerts appear as check annotations on changed lines\n- Check fails by default for `error`/`critical`/`high` severity alerts\n- Configure merge protection rulesets to customize the threshold\n- Dismiss false positives with a documented reason for audit trail\n\n> For detailed alert management guidance, search `references/alert-management.md`.\n\n## Custom Queries and Packs\n\n### Using Custom Query Packs\n\n```yaml\n- uses: github/codeql-action/init@v4\n with:\n packs: |\n my-org/my-security-queries@1.0.0\n codeql/javascript-queries:AlertSuppression.ql\n```\n\n### Creating Custom Query Packs\n\nUse the CodeQL CLI to create and publish packs:\n\n```bash\n# Initialize a new pack\ncodeql pack init my-org/my-queries\n\n# Install dependencies\ncodeql pack install\n\n# Publish to GitHub Container Registry\ncodeql pack publish\n```\n\n### CodeQL Configuration File\n\nFor advanced query and path configuration, create `.github/codeql/codeql-config.yml`:\n\n```yaml\npaths:\n - apps/\n - services/\npaths-ignore:\n - '**/test/**'\n - node_modules/\nqueries:\n - uses: security-extended\npacks:\n javascript-typescript:\n - my-org/my-custom-queries\n```\n\n## Code Scanning Logs\n\n### Summary Metrics\n\nWorkflow logs include key metrics:\n- **Lines of code in codebase** — baseline before extraction\n- **Lines extracted** — including external libraries and auto-generated files\n- **Extraction errors/warnings** — files that failed or produced warnings during extraction\n\n### Debug Logging\n\nTo enable detailed diagnostics:\n- **GitHub Actions:** re-run the workflow with \"Enable debug logging\" checked\n- **CodeQL CLI:** use `--verbosity=progress++` and `--logdir=codeql-logs`\n\n## Troubleshooting\n\n### Common Issues\n\n| Problem | Solution |\n|---|---|\n| Workflow not triggering | Verify `on:` triggers match event; check `paths`/`branches` filters; ensure workflow exists on target branch |\n| `Resource not accessible` error | Add `security-events: write` and `contents: read` permissions |\n| Autobuild failure | Switch to `build-mode: manual` and add explicit build commands |\n| No source code seen | Verify `--source-root`, build command, and language identifier |\n| C# compiler failure | Check for `/p:EmitCompilerGeneratedFiles=true` conflicts with `.sqlproj` or legacy projects |\n| Fewer lines scanned than expected | Switch from `none` to `autobuild`/`manual`; verify build compiles all source |\n| Kotlin in no-build mode | Disable and re-enable default setup to switch to `autobuild` |\n| Cache miss every run | Verify `dependency-caching: true` on `init` action |\n| Out of disk/memory | Use larger runners; reduce analysis scope via `paths` config; use `build-mode: none` |\n| SARIF upload fails | Ensure token has `security-events: write`; check 10 MB file size limit |\n| SARIF results exceed limits | Split across multiple uploads with different `--sarif-category`; reduce query scope |\n| Two CodeQL workflows | Disable default setup if using advanced setup, or remove old workflow file |\n| Slow analysis | Enable dependency caching; use `--threads=0`; reduce query suite scope |\n\n> For comprehensive troubleshooting with detailed solutions, search `references/troubleshooting.md`.\n\n### Hardware Requirements (Self-Hosted Runners)\n\n| Codebase Size | RAM | CPU |\n|---|---|---|\n| Small (<100K LOC) | 8 GB+ | 2 cores |\n| Medium (100K–1M LOC) | 16 GB+ | 4–8 cores |\n| Large (>1M LOC) | 64 GB+ | 8 cores |\n\nAll sizes: SSD with ≥14 GB free disk space.\n\n### Action Versioning\n\nPin CodeQL actions to a specific major version:\n\n```yaml\nuses: github/codeql-action/init@v4 # Recommended\nuses: github/codeql-action/autobuild@v4\nuses: github/codeql-action/analyze@v4\n```\n\nFor maximum security, pin to a full commit SHA instead of a version tag.\n\n## Reference Files\n\nFor detailed documentation, load the following reference files as needed:\n\n- `references/workflow-configuration.md` — Full workflow trigger, runner, and configuration options\n - Search patterns: `trigger`, `schedule`, `paths-ignore`, `db-location`, `model packs`, `alert severity`, `merge protection`, `concurrency`, `config file`\n- `references/cli-commands.md` — Complete CodeQL CLI command reference\n - Search patterns: `database create`, `database analyze`, `upload-results`, `resolve packs`, `cli-server`, `installation`, `CI integration`\n- `references/sarif-output.md` — SARIF v2.1.0 object model, upload limits, and third-party support\n - Search patterns: `sarifLog`, `result`, `location`, `region`, `codeFlow`, `fingerprint`, `suppression`, `upload limits`, `third-party`, `precision`, `security-severity`\n- `references/compiled-languages.md` — Build modes and autobuild behavior per language\n - Search patterns: `C/C++`, `C#`, `Java`, `Go`, `Rust`, `Swift`, `autobuild`, `build-mode`, `hardware`, `dependency caching`\n- `references/troubleshooting.md` — Comprehensive error diagnosis and resolution\n - Search patterns: `no source code`, `out of disk`, `out of memory`, `403`, `C# compiler`, `analysis too long`, `fewer lines`, `Kotlin`, `extraction errors`, `debug logging`, `SARIF upload`, `SARIF limits`\n- `references/alert-management.md` — Alert severity, triage, Copilot Autofix, and dismissal\n - Search patterns: `severity`, `security severity`, `CVSS`, `Copilot Autofix`, `dismiss`, `triage`, `PR alerts`, `data flow`, `merge protection`, `REST API`","tags":["codeql","awesome","copilot","github","agent-skills","agents","custom-agents","github-copilot","hacktoberfest","prompt-engineering"],"capabilities":["skill","source-github","skill-codeql","topic-agent-skills","topic-agents","topic-awesome","topic-custom-agents","topic-github-copilot","topic-hacktoberfest","topic-prompt-engineering"],"categories":["awesome-copilot"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/github/awesome-copilot/codeql","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add github/awesome-copilot","source_repo":"https://github.com/github/awesome-copilot","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 30743 github stars · SKILL.md body (13,060 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:52:05.521Z","embedding":null,"createdAt":"2026-04-18T21:48:37.779Z","updatedAt":"2026-04-22T00:52:05.521Z","lastSeenAt":"2026-04-22T00:52:05.521Z","tsv":"'/build.sh':831 '/component':644 '/github/codeql-action/releases':751 '/language':557,642 '/my-custom-queries':1119 '/my-queries':1072 '/my-security-queries':1044 '/p':1253 '/test':667,1104 '0':1378 '1':221,303,733 '1.0.0':1045 '10':1335 '100k':1402,1409 '14':1428 '16':1412 '1m':1410,1418 '2':281,792,1406 '3':386,846 '30':301,307 '4':422,875,1414 '403':1600 '5':512 '6':302,306,624 '64':1420 '7':683 '8':1404,1415,1422 'access':1211 'across':604,1345 'action':14,62,87,199,200,219,411,420,599,1165,1306,1433,1437 'actions/checkout':524 'add':349,708,754,1213,1231 'addit':569 'advanc':94,231,247,270,496,1090,1364 'alert':929,933,966,980,984,1001,1022,1500,1618,1636 'alertsuppression.ql':588,1047 'altern':167,201 'alway':769 'analysi':42,130,215,234,517,551,606,648,1314,1372,1603 'analyz':116,384,431,438,440,715,847,853,1518 'annot':333,988 'api':1642 'app':660,1099 'appear':318,329,985 'appropri':474 'audit':1018 'auto':1145 'auto-gener':1144 'autobuild':488,504,690,1222,1271,1294,1564,1576 'autofix':957,960,1622,1632 'automat':489,970 'avoid':908 'baselin':1135 'bash':746,797,850,880,916,1061 'behavior':505,1565 'best':235 'better':789 'bootstrap':725 'branch':292,297,316,340,346,1201,1208 'build':103,132,242,258,460,466,476,480,490,494,536,685,694,704,710,722,841,1227,1233,1243,1274,1282,1321,1561,1578 'build-mod':459,465,475,535,703,1226,1320,1577 'bundl':741,773,780 'c':170,172,174,485,701,1248,1571,1601 'c-cpp':169,700 'c/c':168,484,1570 'cach':150,546,590,594,601,1295,1302,1375,1582 'care':977 'categori':556,607,609,634,641,864,1352 'chang':990 'check':332,987,992,1175,1199,1251,1334 'checkout':409,521 'choos':89,222 'ci':1528 'cli':19,37,68,110,731,737,743,777,904,920,924,1055,1177,1510,1525 'cli-serv':919,1524 'cluster':816,826 'code':10,30,45,57,97,410,577,1120,1132,1237,1593 'code-scanning.qls':871 'codebas':1134,1397 'codeflow':1548 'codeql':1,9,18,33,36,44,56,67,100,109,112,127,129,140,159,233,419,514,528,550,654,730,736,740,763,766,772,795,800,804,818,822,851,855,881,917,965,1054,1066,1075,1083,1086,1176,1184,1357,1436,1509 'codeql-act':418 'codeql-db':803,821,854 'codeql-log':1183 'codeql.yml':85 'codeql/javascript-queries':587,1046 'command':38,495,695,830,842,844,915,925,1234,1244,1511 'commit':276,327,890,979,1461 'common':868,1187 'compat':783 'compil':134,470,687,837,1249,1275,1602 'complet':1508 'compon':146,622,631 'comprehens':2,1384,1584 'concurr':1504 'config':679,1318,1505 'config-fil':678 'configur':8,32,53,99,148,282,387,423,513,626,655,1002,1087,1094,1486 'conflict':1256 'contain':1081 'content':405,1219 'control':255,375 'copilot':956,959,972,1621,1631 'core':216,728,1407,1416,1423 'coverag':570 'cpp':171,173,702 'cpu':1400 'creat':81,114,249,793,802,820,1048,1057,1095,1516 'critic':945,998 'cron':300,341 'csharp':175 'custom':83,151,493,580,693,1007,1027,1032,1049 'cvss':951,1630 'data':1637 'databas':113,115,796,801,819,849,852,1515,1517 'db':805,825,856,1496 'db-cluster':824 'db-locat':1495 'dbs':823 'debug':1158,1173,1611 'default':91,225,268,272,339,345,565,995,1289,1360 'defin':285 'depend':149,545,589,593,603,1074,1301,1374,1581 'dependency-cach':544,592,1300 'deriv':949 'detail':500,923,1021,1162,1387,1471 'detect':491 'diagnosi':1586 'diagnost':1163 'differ':1349 'dimens':937 'directori':651 'disabl':271,1284,1359 'disk':1431,1596 'disk/memory':1309 'dismiss':1010,1624,1633 'display':954 'distinguish':611 'document':360,1015,1472 'documentation-on':359 'download':738,747,778 'e.g':209,586,616 'emitcompilergeneratedfil':1254 'enabl':227,1161,1172,1288,1373 'ensur':781,1203,1327 'environ':896 'equival':204 'error':940,997,1212,1585,1610 'errors/warnings':1149 'event':398,901,1198,1216,1332 'everi':312,1297 'exceed':1342 'exclud':213 'execut':918 'exist':343,1205 'expect':1266 'explicit':709,1232 'export':757 'extend':543,564,1111 'extern':1141 'extract':752,1137,1139,1148,1157,1609 'fail':450,691,993,1152,1326 'fail-fast':449 'failur':131,1223,1250 'fals':452,1011 'fast':451 'fewer':1262,1606 'file':35,252,279,382,656,680,1088,1147,1150,1337,1370,1469,1477,1506 'filter':1202 'fingerprint':1549 'first':274 'fix':962 'flow':1638 'follow':162,1475 'format':858 'free':1430 'frontend':645 'full':254,1460,1481 'gb':1405,1413,1421,1429 'generat':961,1146 'get':237 'github':13,61,86,117,198,218,879,882,894,958,1080,1164 'github.com':750 'github.com/github/codeql-action/releases':749 'github/codeql-action/analyze':553,1452 'github/codeql-action/autobuild':1449 'github/codeql-action/init':530,675,1037,1445 'github/codeql/codeql-config.yml':657,681,1096 'github/workflows/codeql.yml':251 'go':176,177,1573 'group':348 'guid':3 'guidanc':51,1024 'hardwar':1391,1580 'help':28 'high':946,999 'home/codeql':759 'host':1395 'identifi':164,166,202,208,1247 'ignor':369,374,664,1103,1494 'includ':454,742,1127,1140 'init':515,598,713,1068,1305 'initi':527,911,1062 'input':585 'instal':734,762,1073,1077,1527 'instead':1463 'integr':1529 'interpret':123 'involv':80 'issu':1188 'java':180,182,486,828,1572 'java-kotlin':179 'java/kotlin':178 'javascript':186,188,210,457,808,865,1114 'javascript-code-scanning.qls':857 'javascript-typescript':185,456,807,1113 'javascript/typescript':184 'job':437 'jvm':910 'key':1128 'kotlin':181,183,1278,1608 'languag':101,135,158,163,165,246,424,433,455,463,471,503,533,619,688,699,768,799,806,815,827,838,1246,1567 'larg':1417 'larger':1311 'latest':447,861 'least':391 'least-privileg':390 'legaci':1260 'level':932 'librari':1142 'limit':1339,1343,1536,1552,1616 'line':991,1130,1138,1263,1607 'load':1473 'loc':1403,1411,1419 'local':111 'locat':1497,1546 'log':1122,1126,1159,1174,1185,1612 'logdir':1182 'long':1605 'low':948 'main':293,298 'major':1441 'make':724,726 'manag':930,1023 'manual':492,684,706,720,1229,1272 'match':1197 'matrix':102,263,425,428,453 'matrix.build':538,718 'matrix.language':441,534,558,643 'maximum':1455 'mb':1336 'md':370 'medium':947,1408 'memori':1599 'merg':326,347,353,1003,1502,1639 'metric':1124,1129 'miss':1296 'mode':104,133,243,259,461,467,477,537,539,705,719,817,906,1228,1283,1322,1562,1579 'model':155,1498,1534 'modul':666,1106 'monday':305 'monorepo':142,615,625,628 'multipl':630,814,914,1346 'must':342 'my-org':1041,1069,1116 'name':439,520,526,548,721 'need':27,697,1479 'new':1064 'no-build':1280 'node':665,1105 'none':241,462,468,478,1269,1323 'note':942 'object':1533 'old':1368 'option':561,1487 'org':1043,1071,1118 'output':40,125,866 'owner/repo':887 'pack':153,156,582,584,765,1030,1034,1040,1051,1060,1065,1067,1076,1084,1112,1499,1523 'parallel':435 'paramet':635 'parti':1540,1555 'path':368,373,659,663,756,758,760,1093,1098,1102,1200,1317,1493 'paths-ignor':367,372,662,1101,1492 'pattern':1489,1514,1543,1569,1590,1626 'per':145,502,618,621,1566 'per-compon':144,620 'per-languag':501,617 'perform':549,790 'period':335 'permiss':388,393,395,903,1221 'pin':1435,1457 'plus':568,576 'posit':1012 'pr':325,331,1635 'preced':955 'precis':1556 'precompil':744,786 'privat':415 'privileg':392 'problem':1189 'procedur':50 'produc':1154 'progress':1180 'project':1261 'protect':294,1004,1503,1640 'provid':49,785,839 'prs':362,983 'publish':1059,1078,1085 'pull':295,322,365,968 'push':291,309,313 'python':190,191,464,829 'qualiti':574,578 'queri':106,152,260,540,559,567,579,581,745,782,787,869,1028,1033,1050,1091,1107,1354,1380 'queue':354 'quick':239 'ram':1399 're':1167,1287 're-en':1286 're-run':1166 'read':406,412,1220 'reason':1016 'recommend':1447 'reduc':1313,1353,1379 'ref':888 'refer':668,926,1468,1476,1512 'references/alert-management.md':1026,1617 'references/cli-commands.md':928,1507 'references/compiled-languages.md':510,1560 'references/sarif-output.md':1530 'references/troubleshooting.md':1390,1583 'references/workflow-configuration.md':1480 'refs/heads/main':889 'region':1547 'registri':1082 'releas':727 'remov':1367 'repeat':909 'repo':416 'repositori':229,351,522,886 'request':79,296,323,366,969 'requir':137,400,407,413,481,508,893,974,1392 'resolut':1588 'resolv':764,767,1522 'resourc':1209 'rest':1641 'restor':602 'restrict':647 'result':120,317,328,404,613,639,877,885,1341,1521,1545 'results.sarif':867,892 'review':975 'root':812,834,1242 'rubi':192,193 'ruleset':1005 'run':55,108,288,379,443,605,723,913,1168,1298 'runner':136,507,1312,1396,1484 'runs-on':442 'rust':194,195,487,1574 'sarif':39,124,403,612,638,860,863,891,1324,1340,1351,1531,1613,1615 'sarif-categori':862,1350 'sarif-latest':859 'sariflog':1544 'scan':11,31,46,58,98,147,287,310,324,336,357,1121,1264 'schedul':299,334,1491 'scope':1315,1355,1382 'score':952 'se':43 'search':509,927,1025,1389,1488,1513,1542,1568,1589,1625 'secur':41,232,320,397,542,563,566,572,575,900,943,1110,1215,1331,1456,1558,1628 'security-and-qu':571 'security-and-quality.qls':873 'security-ev':396,899,1214,1330 'security-extend':541,562,1109 'security-extended.qls':872 'security-sever':1557 'seen':1238 'self':1394 'self-host':1393 'separ':637 'server':905,921,1526 'servic':661,1100 'set':5,138,230,389,472,591 'setup':92,95,223,226,248,273,497,1290,1361,1365 'sever':931,936,939,944,1000,1501,1559,1619,1627,1629 'sha':1462 'singl':798 'size':1338,1398,1425 'skill':21,48,73,76 'skill-codeql' 'skip':356 'slow':1371 'small':1401 'solut':1190,1388 'sourc':811,833,1236,1241,1277,1592 'source-github' 'source-root':810,832,1240 'space':1432 'specif':650,1440 'specifi':315 'split':1344 'sqlproj':1258 'src':813,835 'ssd':1426 'standalon':66,776 'standard':207,938 'start':238 'step':220,280,385,421,511,519,623,682,686,711,732,791,845,874 'strategi':264,429,448 'subscript':973 'suggest':963,976 'suit':107,261,560,870,1381 'summari':1123 'support':157,160,482,1541 'suppress':1550 'swift':196,197,1575 'switch':266,1224,1267,1292 'tab':321 'tag':1467 'take':953 'target':1207 'third':1539,1554 'third-parti':1538,1553 'thread':1377 'threshold':1009 'token':895,1328 'topic-agent-skills' 'topic-agents' 'topic-awesome' 'topic-custom-agents' 'topic-github-copilot' 'topic-hacktoberfest' 'topic-prompt-engineering' 'trail':1019 'triag':981,1620,1634 'trigger':257,284,1193,1196,1483,1490 'troubleshoot':128,1186,1385 'true':547,595,1255,1303 'two':935,1356 'txt':371 'type':224 'typescript':187,189,214,458,809,1115 'ubuntu':446 'ubuntu-latest':445 'understand':121 'upload':119,402,876,884,1325,1347,1520,1535,1551,1614 'upload-result':118,883,1519 'use':24,71,74,240,352,417,426,523,529,552,608,632,652,674,770,1031,1036,1052,1108,1178,1310,1319,1363,1376,1444,1448,1451 'user':26 'utc':308 'v2.1.0':1532 'v4':525,531,554,676,1038,1446,1450,1453 'variabl':897 'verbos':1179 'verifi':761,1194,1239,1273,1299 'version':1434,1442,1466 'via':12,583,843,1316 'warn':941,1155 'week':304 'whether':376 'workflow':15,34,63,88,217,278,283,378,672,729,1125,1170,1191,1204,1358,1369,1482 'write':399,902,1217,1333 'yaml':289,363,394,436,518,640,658,673,698,716,1035,1097,1443","prices":[{"id":"53e11ce6-812a-4895-a1b8-78fcf2cd007a","listingId":"06eab953-3c2c-485f-96c4-0c3787573cd1","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"github","category":"awesome-copilot","install_from":"skills.sh"},"createdAt":"2026-04-18T21:48:37.779Z"}],"sources":[{"listingId":"06eab953-3c2c-485f-96c4-0c3787573cd1","source":"github","sourceId":"github/awesome-copilot/codeql","sourceUrl":"https://github.com/github/awesome-copilot/tree/main/skills/codeql","isPrimary":false,"firstSeenAt":"2026-04-18T21:48:37.779Z","lastSeenAt":"2026-04-22T00:52:05.521Z"}],"details":{"listingId":"06eab953-3c2c-485f-96c4-0c3787573cd1","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"github","slug":"codeql","github":{"repo":"github/awesome-copilot","stars":30743,"topics":["agent-skills","agents","ai","awesome","custom-agents","github-copilot","hacktoberfest","prompt-engineering"],"license":"mit","html_url":"https://github.com/github/awesome-copilot","pushed_at":"2026-04-21T22:20:21Z","description":"Community-contributed instructions, agents, skills, and configurations to help you make the most of GitHub Copilot.","skill_md_sha":"672075bba4c545159af38b511b2a1ecb28101ea9","skill_md_path":"skills/codeql/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/github/awesome-copilot/tree/main/skills/codeql"},"layout":"multi","source":"github","category":"awesome-copilot","frontmatter":{"name":"codeql","description":"Comprehensive guide for setting up and configuring CodeQL code scanning via GitHub Actions workflows and the CodeQL CLI. This skill should be used when users need help with code scanning configuration, CodeQL workflow files, CodeQL CLI commands, SARIF output, security analysis setup, or troubleshooting CodeQL analysis."},"skills_sh_url":"https://skills.sh/github/awesome-copilot/codeql"},"updatedAt":"2026-04-22T00:52:05.521Z"}}