CodeQL Security Audit Skill
Three independent modes — identify which one the user needs and run the corresponding script.
| User Intent | Mode | Script |
|---|
| Scan a repo / create a DB / generate SARIF | [SCAN] | INLINECODE0 |
| Read SARIF / triage vulns / generate report |
[AUDIT] |
scripts/audit.py |
| Optimize or debug a .ql query file |
[TUNE] |
scripts/tune.py |
[SCAN]
CODEBLOCK0
The script handles: language detection → build command selection → CodeQL DB creation → security suite scan → SARIF output.
For writing custom queries, refer to the relevant language reference:
references/lang-java.md / lang-javascript.md / lang-python.md / lang-cpp.md
[AUDIT]
CODEBLOCK1
The script handles: SARIF parsing → attack surface inventory → vuln family grouping → source→sink evidence chain extraction → exp.md output.
Claude's responsibility (what the script cannot do):
- - Manually assess
[SUSPICIOUS] entries with no data flow — determine if they are real vulnerabilities - Write POC requests based on business context
- Provide concrete remediation code
[TUNE]
CODEBLOCK2
The script outputs a tuning checklist covering seven checks: coverage, false positives, performance, and metadata completeness.
Claude's responsibility (what the script cannot do):
- - Rewrite source / sink / sanitizer logic based on checklist findings
- Debug queries with no results or unexpected output — refer to �INLINECODE8
CodeQL 安全审计技能
三种独立模式——识别用户需要哪种模式并运行相应脚本。
| 用户意图 | 模式 | 脚本 |
|---|
| 扫描仓库/创建数据库/生成SARIF | [SCAN] | scripts/scan.sh |
| 读取SARIF/分类漏洞/生成报告 |
[AUDIT] | scripts/audit.py |
| 优化或调试.ql查询文件 |
[TUNE] | scripts/tune.py |
[SCAN]
bash
bash scripts/scan.sh <仓库路径> [语言] [输出.sarif]
语言: java | javascript | python | cpp | auto (默认)
该脚本处理:语言检测 → 构建命令选择 → CodeQL数据库创建 → 安全套件扫描 → SARIF输出。
如需编写自定义查询,请参考相关语言参考文档:
references/lang-java.md / lang-javascript.md / lang-python.md / lang-cpp.md
[AUDIT]
bash
python3 scripts/audit.py <结果.sarif> --output exp.md
该脚本处理:SARIF解析 → 攻击面清单 → 漏洞家族分组 → 源→汇证据链提取 → exp.md输出。
Claude的职责(脚本无法完成的部分):
- - 手动评估无数据流的[可疑]条目——判断是否为真实漏洞
- 基于业务上下文编写POC请求
- 提供具体的修复代码
[TUNE]
bash
python3 scripts/tune.py <查询.ql>
该脚本输出涵盖七项检查的调优清单:覆盖率、误报、性能及元数据完整性。
Claude的职责(脚本无法完成的部分):
- - 根据清单发现重写源/汇/净化器逻辑
- 调试无结果或意外输出的查询——请参考references/debugging.md
