CodeQL Database Builder (Multi-Language)
Build and analyze CodeQL databases across multiple languages in a single workflow.
When to Use
-
Full security audit of the entire application
-
Pre-release security scanning
-
CI/CD integration for comprehensive analysis
-
Cross-component vulnerability assessment
When NOT to Use
-
You only need a quick lint or format run without deep security analysis.
-
The codebase is tiny and can be manually audited.
-
You are updating documentation unrelated to security.
Prerequisites
-
CodeQL CLI installed (brew install codeql or download from GitHub)
-
Go 1.24+ installed
-
Python 3.10+ installed
-
Node.js 18+ installed
-
Dependencies installed for each codebase
Quick Start - Build All Databases
- Setup
DB_NAME=$(basename "$PWD") GO_SRC_ROOT="${GO_SRC_ROOT:-.}" PYTHON_SRC_ROOT="${PYTHON_SRC_ROOT:-.}" JS_SRC_ROOT="${JS_SRC_ROOT:-.}" mkdir -p codeql/packs
- Build All Databases
Go database:
codeql database create "codeql/${DB_NAME}-go"
--language=go
--source-root="$GO_SRC_ROOT"
--command="go build ./..."
--threads=0
--overwrite
Python database:
codeql database create "codeql/${DB_NAME}-python"
--language=python
--source-root="$PYTHON_SRC_ROOT"
--threads=0
--overwrite
JavaScript/TypeScript database:
codeql database create "codeql/${DB_NAME}-javascript"
--language=javascript
--source-root="$JS_SRC_ROOT"
--threads=0
--overwrite
- Download All Query Packs
codeql pack download --dir codeql/packs codeql/go-queries codeql pack download --dir codeql/packs codeql/python-queries codeql pack download --dir codeql/packs codeql/javascript-queries
- Verify All Databases
for lang in go python javascript; do echo "=== ${DB_NAME}-${lang} ===" grep finalised codeql/${DB_NAME}-${lang}/codeql-database.yml done
One-Liner Scripts
Run:
./scripts/codeql-build-all.sh ./scripts/codeql-analyze-all.sh
Run Full Security Analysis
All Components - Code Scanning Suite
DB_NAME=$(basename "$PWD")
codeql database analyze codeql/${DB_NAME}-go
codeql/packs/codeql/go-queries/*/codeql-suites/go-code-scanning.qls
--format=sarif-latest
--output=codeql/${DB_NAME}-go-code-scanning.sarif
codeql database analyze codeql/${DB_NAME}-python
codeql/packs/codeql/python-queries/*/codeql-suites/python-code-scanning.qls
--format=sarif-latest
--output=codeql/${DB_NAME}-python-code-scanning.sarif
codeql database analyze codeql/${DB_NAME}-javascript
codeql/packs/codeql/javascript-queries/*/codeql-suites/javascript-code-scanning.qls
--format=sarif-latest
--output=codeql/${DB_NAME}-javascript-code-scanning.sarif
All Components - Security and Quality Suite
DB_NAME=$(basename "$PWD")
for lang in go python javascript; do
codeql database analyze codeql/${DB_NAME}-${lang}
codeql/packs/codeql/${lang}-queries/*/codeql-suites/${lang}-security-and-quality.qls
--format=sarif-latest
--output=codeql/${DB_NAME}-${lang}-security.sarif
done
Buildless Fallback (Go)
codeql database create "codeql/${DB_NAME}-go"
--language=go
--source-root="$GO_SRC_ROOT"
--build-mode=none
--threads=0
--overwrite
VS Code Multi-Database Setup
.vscode/settings.json :
{ "codeQL.runningQueries.additionalPacks": [ "${workspaceFolder}/codeql/packs" ] }
Switch between databases using CodeQL: Choose Database from Folder .
Merge SARIF Results
pip install sarif-tools
sarif merge
codeql/${DB_NAME}-go-results.sarif
codeql/${DB_NAME}-python-results.sarif
codeql/${DB_NAME}-javascript-results.sarif
--output codeql/${DB_NAME}-all-results.sarif
Troubleshooting
Check All Databases
for lang in go python javascript; do echo "=== ${lang} ===" codeql database info codeql/${DB_NAME}-${lang} 2>/dev/null || echo "Not found" done
Clean All
rm -rf codeql/${DB_NAME}-*
View Logs
for lang in go python javascript; do echo "=== ${lang} logs ===" tail -20 codeql/${DB_NAME}-${lang}/log/*.log 2>/dev/null || echo "No logs" done
Output Summary
echo "=== CodeQL Analysis Summary ===" echo "" for lang in go python javascript; do sarif="codeql/${DB_NAME}-${lang}-results.sarif" if [ -f "$sarif" ]; then total=$(jq '.runs[0].results | length' "$sarif") high=$(jq '[.runs[0].results[] | select(.level == "error")] | length' "$sarif") echo "${lang}: ${total} total, ${high} high severity" fi done