codeql

CodeQL security audit pipeline: static scanning, SARIF triage, and QL query optimization. Trigger on: CodeQL, .ql, .sarif, taint tracking, source→sink, LGTM, GitHub Code Scanning, "scan this repo", "analyze this vulnerability", "optimize this query".

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "codeql" with this command: npx skills add k2-l/codeql-skill

CodeQL Security Audit Skill

Three independent modes — identify which one the user needs and run the corresponding script.

User IntentModeScript
Scan a repo / create a DB / generate SARIF[SCAN]scripts/scan.sh
Read SARIF / triage vulns / generate report[AUDIT]scripts/audit.py
Optimize or debug a .ql query file[TUNE]scripts/tune.py

[SCAN]

bash scripts/scan.sh <repo_path> [language] [output.sarif]
# language: java | javascript | python | cpp | auto (default)

The script handles: language detection → build command selection → CodeQL DB creation → security suite scan → SARIF output.

For writing custom queries, refer to the relevant language reference: references/lang-java.md / lang-javascript.md / lang-python.md / lang-cpp.md

[AUDIT]

python3 scripts/audit.py <results.sarif> --output exp.md

The script handles: SARIF parsing → attack surface inventory → vuln family grouping → source→sink evidence chain extraction → exp.md output.

Claude's responsibility (what the script cannot do):

  • Manually assess [SUSPICIOUS] entries with no data flow — determine if they are real vulnerabilities
  • Write POC requests based on business context
  • Provide concrete remediation code

[TUNE]

python3 scripts/tune.py <query.ql>

The script outputs a tuning checklist covering seven checks: coverage, false positives, performance, and metadata completeness.

Claude's responsibility (what the script cannot do):

  • Rewrite source / sink / sanitizer logic based on checklist findings
  • Debug queries with no results or unexpected output — refer to references/debugging.md

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Session Password

Provides secure session authentication using bcrypt-hashed passwords, security questions, email recovery, and lockout protection with audit logging.

Registry SourceRecently Updated
111
squallsol
Security

agent-bom registry

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...

Registry SourceRecently Updated
0127
msaad00
Security

agent-bom scan

Security scanner for AI infrastructure — discovers MCP clients and servers, checks packages for CVEs (OSV, NVD, EPSS, KEV), maps blast radius, and generates...

Registry SourceRecently Updated
0128
Profile unavailable