codeql
Interprocedural security vulnerability scanning with data flow analysis and customizable query suites.
- Supports Python, JavaScript/TypeScript, Go, Java/Kotlin, C/C++, C#, Ruby, and Swift with language-specific build methods and extraction strategies
- Three-phase workflow: build database, create data extensions for project-specific APIs, then run analysis with explicit query suite references to avoid silent filtering
- Includes quality assessment, diagnostic queries, and SARIF result processing; always investigates zero findings before reporting clean results
- Requires explicit suite files rather than default pack suites; data extensions catch custom code paths that standard frameworks miss
CodeQL Analysis
Supported languages: Python, JavaScript/TypeScript, Go, Java/Kotlin, C/C++, C#, Ruby, Swift.
Skill resources: Reference files and templates are located at {baseDir}/references/ and {baseDir}/workflows/.
Essential Principles
-
Database quality is non-negotiable. A database that builds is not automatically good. Always run quality assessment (file counts, baseline LoC, extractor errors) and compare against expected source files. A cached build produces zero useful extraction.
-
Data extensions catch what CodeQL misses. Even projects using standard frameworks (Django, Spring, Express) have custom wrappers around database calls, request parsing, or shell execution. Skipping the create-data-extensions workflow means missing vulnerabilities in project-specific code paths.
-
Explicit suite references prevent silent query dropping. Never pass pack names directly to
codeql database analyze— each pack'sdefaultSuiteFileapplies hidden filters that can produce zero results. Always generate a custom.qlssuite file. -
Zero findings needs investigation, not celebration. Zero results can indicate poor database quality, missing models, wrong query packs, or silent suite filtering. Investigate before reporting clean.
-
macOS Apple Silicon requires workarounds for compiled languages. Exit code 137 is
arm64e/arm64mismatch, not a build failure. Try Homebrew arm64 tools or Rosetta before falling back tobuild-mode=none. -
Follow workflows step by step. Once a workflow is selected, execute it step by step without skipping phases. Each phase gates the next — skipping quality assessment or data extensions leads to incomplete analysis.
More from trailofbits/skills
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
4.2Ksemgrep
>-
3.8Kmodern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
3.8Kinsecure-defaults
Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.
3.5Ksecure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
3.4Kcode-maturity-assessor
Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations.
3.3K