GitHub CodeQL Executor¶

Category: Source Code Analysis Script: codeql.py Integration: GitHub REST API Faraday Plugin: Raw JSON (no plugin — generates Faraday JSON directly) Website: https://codeql.github.com/

Description¶

Fetches all open code-scanning alerts (typically from CodeQL analysis) for a GitHub repository via the GitHub REST API. Each alert is enriched with description, file location, CWE identifiers, and references. Results are grouped by file path in Faraday.

Prerequisites¶

• GitHub Personal Access Token with security_events scope
• GitHub Advanced Security (GHAS) enabled on the repository
• CodeQL analysis configured and running (typically via GitHub Actions)

Configuration¶

Environment Variables (Setup)¶

Execution Arguments¶

Common Agent Parameters Supported¶

AGENT_CONFIG_VULN_TAG, AGENT_CONFIG_HOSTNAME_TAG

YAML Configuration Example¶

executors:
  codeql_scan:
    repo_executor: codeql.py
    max_size: 65536
    varenvs:
      GITHUB_TOKEN: "${GITHUB_TOKEN}"
      GITHUB_OWNER: my-org
    params:
      GITHUB_REPOSITORY:
        mandatory: true
        type: string
        base: string

How It Works¶

1. Fetches all open code-scanning alerts from https://api.github.com/repos/{owner}/{repo}/code-scanning/alerts (paginated)
2. For each alert, retrieves detailed information including:
3. Rule description and help text
4. File path and line number of the finding
5. CWE identifiers
6. CVE identifiers (if applicable)
7. Severity and external references
8. Groups findings by file path (each file becomes a host as {owner}/{repo}/{path})
9. Outputs the combined Faraday JSON

Notes¶

• Only open alerts are imported; dismissed or fixed alerts are excluded
• This executor imports results from any code-scanning tool configured on the repository, not just CodeQL
• The GitHub token must have access to the repository's security features
• GitHub Advanced Security is required for private repositories; code scanning is free for public repositories