codeql▌

This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when high-severity vulnerabilities are detected.

Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection across repositories at enterprise scale.

Interprocedural security vulnerability scanning with data flow analysis and customizable query suites. \n \n Supports Python, JavaScript/TypeScript, Go, Java/Kotlin, C/C++, C#, Ruby, and Swift with language-specific build methods and extraction strategies \n Three-phase workflow: build database, create data extensions for project-specific APIs, then run analysis with explicit query suite references to avoid silent filtering \n Includes quality assessment, diagnostic queries, and SARIF result pro

This skill provides procedural guidance for configuring and running CodeQL code scanning — both through GitHub Actions workflows and the standalone CodeQL CLI.