44> Current version of CodeQL only works for interpreted languages. We will add compiled languages support on future versions.
55
66CodeQL Container is a project aimed at making it easier to start using CodeQL (https://github.com/github/codeql ). This project
7- contains a Docker file which builds a container with the latest version of codeql-cli and codeql queries precompiled.
7+ contains a Docker file which builds a container, with the latest version of codeql-cli and codeql queries precompiled.
88It also contains scripts to keep the toolchain in the container updated. You can use this container to:
99
1010* Start using codeql-cli and run queries on your projects without installing it on your local machine.
@@ -17,47 +17,60 @@ We shall continue to add more features and would be happy to accept contribution
1717
1818#### Downloading a pre-built container
1919We keep updating the docker image periodically and uploading it to the Microsoft Container Registry at: mcr.microsoft.com/codeql/codeql-container.
20- You can run the image by running the command:
20+ You can pull the image by running the command:
2121```
22- $ docker run --rm mcr.microsoft.com/codeql/codeql-container
22+ $ docker pull mcr.microsoft.com/codeql/codeql-container
2323```
2424
2525If you want to analyze a particular source directory with codeql, run the container as:
2626```
2727$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=<query run...>
2828```
29- where /dir/to/analyze contains the source files that have to be analyzed, and /dir/for/results is where the result output
30- needs to be stored, and you can specify QL_PACKS environment variable for specific QL packs to be run on the provided code.
31- For more information on CodeQL and QL packs, please visit https://www.github.com/github/codeql .
32- CODEQL_CLI_ARGS are the arguments that will be directly passed on to the codeql-cli. Some examples of CODEQL_CLI_ARGS are:
29+
30+ where /dir/to/analyze contains the source files that has to be analyzed, and /dir/for/results is where the result output
31+ needs to be stored.
32+ CODEQL_CLI_ARGS contents will be directly passed on to the codeql-cli. Some examples of CODEQL_CLI_ARGS are:
33+
3334```
3435CODEQL_CLI_ARGS = database create /opt/src/source_db
3536```
36- ** Note:** If you map your source volume to some other mountpoint other than /opt/src, you will have to make the corresponding changes
37- in the CODEQL_CLI_ARGS.
37+
38+ > ** Note:** If you map your source volume to some other mount point other than /opt/src, you will have to make the corresponding changes
39+ > in the CODEQL_CLI_ARGS.
3840
3941There are some additional docker environment variables that you can specify to control the execution of the container:
40- * CHECK_LATEST_CODEQL_CLI - If there is a newer version of codeql-cli, download and install it
41- * CHECK_LATEST_QUERIES - if there is are updates to the codeql queries repo, download and use it
42- * PRECOMPILE_QUERIES - If we downloaded new queries, precompile all new query packs (query execution will be faster)
43- WARNING: Precompiling query packs might take a few hours, depending on speed of your machine and the CPU/Memory limits (if any)
44- you have placed on the container.
45-
46- Since codeql first creates a database of the code representation, and then analyzes the db for issues, we need a few commands to
47- analyze a source code repo .
42+ * CHECK_LATEST_CODEQL_CLI - If there is a newer version of codeql-cli, download and install it
43+ * CHECK_LATEST_QUERIES - if there is are updates to the codeql queries repo, download and use it
44+ * PRECOMPILE_QUERIES - If we downloaded new queries, precompile all new query packs (query execution will be faster)
45+ >
46+ >
47+
48+ Since codeql first creates a database of the code representation, and then analyzes the said db for issues, we need to run couple commands to
49+ analyze a source code project .
4850For example, if you want to analyze a python project source code placed in /dir/to/analyze (or C:\dir\to\analyze for example, in windows),
4951to analyze and get a sarif result file, you will have to run:
50- $ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db"
51- $ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze --format=sarifv2 --output=/opt/results/issues.sarif /opt/src/source_db
5252
5353```
54+ $ docker run --rm --name codeql-container codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db"
55+ $ docker run --rm --name codeql-container codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database upgrade source_db"
56+ $ docker run --rm --name codeql-container codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze source_db --output=/opt/results/issues.sarif /opt/src/source_db python-security-and-quality.qls"
57+ ```
58+
59+ This will run the python-security-and-quality.qls query pack on the provided source code and output the results to /path/to/results/issues.sarif on the local machine.
60+ > [ The second step above is only required if the queries are newer than the one that codeql-cli recognizes.]
61+
5462This command will run all the ql packs related to security and output the results to the results folder.
5563
64+ For more information on CodeQL and QL packs, please visit https://www.github.com/github/codeql .
65+
5666#### Building the container
5767Building the container should be pretty straightforward.
68+
69+ ```
5870git clone ...
5971cd src
6072docker build . -f Dockerfile -t codeql-container
73+ ```
6174
6275# Contributing
6376
0 commit comments