Add CodeQL MCP server with database caching and security analysis workflow

[Copilot]

Add CodeQL MCP Server Support

Add support for CodeQL as a shared agentic workflow in MCP similar to existing shared MCP servers (ast-grep, skillz, gh-aw, etc.), with automatic database caching and a security analysis workflow example.

Summary

Created a new shared MCP configuration file at .github/workflows/shared/mcp/codeql.md that enables agentic workflows to use the CodeQL MCP server for semantic code analysis. The configuration includes automatic CodeQL database creation with GitHub Actions caching and language detection. Updated the dev workflow to demonstrate Go security analysis using CodeQL.

Recent Changes

Latest commit: Added database caching and updated dev workflow

• Added GitHub Actions cache for CodeQL database with smart cache keys
• Added automatic database creation with language detection (Go, JavaScript, Python, Java, Ruby, C#)
• Updated dev workflow from poem generator to Go security analyzer using CodeQL
• Moved documentation to XML comment following jupyter.md pattern
• Merged main branch

Features

• MCP Server Configuration: HTTP-based MCP server running on localhost:8000
• CodeQL CLI Installation: Automated download and installation of CodeQL CLI v2.19.3
• Database Caching: GitHub Actions cache integration to persist databases across workflow runs
• Automatic Database Creation: Creates CodeQL database with language detection if not found in cache
• Python Dependencies: Automatic installation of fastmcp and httpx
• Server Lifecycle Management: Clones the server repository, starts it, and validates connectivity
• Comprehensive Documentation: Includes available tools, usage examples, and security considerations

Database Creation & Caching

• Cache Key: codeql-db-{repository}-{sha} with fallback to previous commits
• Language Detection: Automatically detects Go, JavaScript, Python, Java, Ruby, C#
• Conditional Creation: Database only created if cache miss
• Location: /tmp/codeql-db

Available Tools

The CodeQL MCP server provides 6 tools for semantic code analysis:

1. register_database - Register a CodeQL database
2. evaluate_query - Run full CodeQL queries
3. quick_evaluate - Quick-evaluate specific classes/predicates
4. decode_bqrs - Decode results to CSV/JSON
5. find_class_position - Locate class positions
6. find_predicate_position - Locate predicate positions

Dev Workflow Enhancement

Updated .github/workflows/dev.md to demonstrate CodeQL usage for Go security analysis:

• Analyzes Go source code for security vulnerabilities
• Uses CodeQL MCP server tools to register database, run queries, and decode results
• Creates security issues for findings with severity assessment and recommended fixes
• Posts summary comments on trigger issue

Completed Tasks

• Research CodeQL MCP server implementation (JordyZomer/codeql-mcp)
• Create .github/workflows/shared/mcp/codeql.md configuration file
• Document available tools and usage patterns
• Add CodeQL CLI installation steps (v2.19.3)
• Add Python dependencies installation (fastmcp, httpx)
• Add server cloning and startup steps
• Include health check with TCP connection validation
• Add comprehensive documentation with examples
• Include security considerations
• Test compilation with sample workflows
• Merge main branch
• Move documentation to XML comment (follows jupyter.md pattern)
• Add GitHub Actions cache for CodeQL database
• Add automatic database creation with language detection
• Update dev workflow to find security issues in Go code
• Run make fmt - passed ✓

Usage Example

---
on: workflow_dispatch
permissions:
  contents: read
  security-events: read
engine: copilot
imports:
  - shared/mcp/codeql.md
---

# CodeQL Security Analysis

Analyze the repository for security vulnerabilities using CodeQL.

The CodeQL database will be automatically created and cached at `/tmp/codeql-db`.

1. Register the database with the MCP server
2. Run security queries to identify vulnerabilities
3. Decode and analyze the results

Related Links

• CodeQL MCP Server: https://github.com/JordyZomer/codeql-mcp
• CodeQL Documentation: https://codeql.github.com/docs/
• CodeQL CLI: https://github.com/github/codeql-cli-binaries

Original prompt

Add support for codeql as a shared agentic workflow in MCP or something

https://github-grid.enterprise.slack.com/archives/D0A9CP9J7QR/p1768499932580839

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot
Merge main
move to xml comment in body

[Copilot]

Done in commit a8386be. Merged main and moved documentation to XML comment in the body following the pattern from jupyter.md.

[pelikhan]

@copilot make sure the codeql db uses a GitHub action cache, the db creation is also part of the agentic steps.

Update the dev agentic workflow to find security issues in the go source code

[Copilot]

@copilot make sure the codeql db uses a GitHub action cache, the db creation is also part of the agentic steps.

Update the dev agentic workflow to find security issues in the go source code

Done in commit 8ab7bf2:

1. CodeQL Database Caching: Added actions/cache@v4 with cache key codeql-db-{repository}-{sha} and restore fallback to previous commits
2. Automatic Database Creation: Added conditional step that creates database only if cache miss, with automatic language detection (Go, JavaScript, Python, Java, Ruby, C#)
3. Dev Workflow Updated: Changed from poem generator to Go security analyzer using CodeQL MCP server - analyzes Go source code for security vulnerabilities and creates issues for findings