Skip to content

Add CodeQL MCP server with database caching and security analysis workflow#10115

Closed
Copilot wants to merge 6 commits intomainfrom
copilot/add-codeql-support-workflow
Closed

Add CodeQL MCP server with database caching and security analysis workflow#10115
Copilot wants to merge 6 commits intomainfrom
copilot/add-codeql-support-workflow

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

Add CodeQL MCP Server Support

Add support for CodeQL as a shared agentic workflow in MCP similar to existing shared MCP servers (ast-grep, skillz, gh-aw, etc.), with automatic database caching and a security analysis workflow example.

Summary

Created a new shared MCP configuration file at .github/workflows/shared/mcp/codeql.md that enables agentic workflows to use the CodeQL MCP server for semantic code analysis. The configuration includes automatic CodeQL database creation with GitHub Actions caching and language detection. Updated the dev workflow to demonstrate Go security analysis using CodeQL.

Recent Changes

Latest commit: Added database caching and updated dev workflow

  • Added GitHub Actions cache for CodeQL database with smart cache keys
  • Added automatic database creation with language detection (Go, JavaScript, Python, Java, Ruby, C#)
  • Updated dev workflow from poem generator to Go security analyzer using CodeQL
  • Moved documentation to XML comment following jupyter.md pattern
  • Merged main branch

Features

  • MCP Server Configuration: HTTP-based MCP server running on localhost:8000
  • CodeQL CLI Installation: Automated download and installation of CodeQL CLI v2.19.3
  • Database Caching: GitHub Actions cache integration to persist databases across workflow runs
  • Automatic Database Creation: Creates CodeQL database with language detection if not found in cache
  • Python Dependencies: Automatic installation of fastmcp and httpx
  • Server Lifecycle Management: Clones the server repository, starts it, and validates connectivity
  • Comprehensive Documentation: Includes available tools, usage examples, and security considerations

Database Creation & Caching

  • Cache Key: codeql-db-{repository}-{sha} with fallback to previous commits
  • Language Detection: Automatically detects Go, JavaScript, Python, Java, Ruby, C#
  • Conditional Creation: Database only created if cache miss
  • Location: /tmp/codeql-db

Available Tools

The CodeQL MCP server provides 6 tools for semantic code analysis:

  1. register_database - Register a CodeQL database
  2. evaluate_query - Run full CodeQL queries
  3. quick_evaluate - Quick-evaluate specific classes/predicates
  4. decode_bqrs - Decode results to CSV/JSON
  5. find_class_position - Locate class positions
  6. find_predicate_position - Locate predicate positions

Dev Workflow Enhancement

Updated .github/workflows/dev.md to demonstrate CodeQL usage for Go security analysis:

  • Analyzes Go source code for security vulnerabilities
  • Uses CodeQL MCP server tools to register database, run queries, and decode results
  • Creates security issues for findings with severity assessment and recommended fixes
  • Posts summary comments on trigger issue

Completed Tasks

  • Research CodeQL MCP server implementation (JordyZomer/codeql-mcp)
  • Create .github/workflows/shared/mcp/codeql.md configuration file
  • Document available tools and usage patterns
  • Add CodeQL CLI installation steps (v2.19.3)
  • Add Python dependencies installation (fastmcp, httpx)
  • Add server cloning and startup steps
  • Include health check with TCP connection validation
  • Add comprehensive documentation with examples
  • Include security considerations
  • Test compilation with sample workflows
  • Merge main branch
  • Move documentation to XML comment (follows jupyter.md pattern)
  • Add GitHub Actions cache for CodeQL database
  • Add automatic database creation with language detection
  • Update dev workflow to find security issues in Go code
  • Run make fmt - passed ✓

Usage Example

---
on: workflow_dispatch
permissions:
  contents: read
  security-events: read
engine: copilot
imports:
  - shared/mcp/codeql.md
---

# CodeQL Security Analysis

Analyze the repository for security vulnerabilities using CodeQL.

The CodeQL database will be automatically created and cached at `/tmp/codeql-db`.

1. Register the database with the MCP server
2. Run security queries to identify vulnerabilities
3. Decode and analyze the results

Related Links

Original prompt

Add support for codeql as a shared agentic workflow in MCP or something

https://github-grid.enterprise.slack.com/archives/D0A9CP9J7QR/p1768499932580839

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 15, 2026 18:08
@pelikhan
Initial plan: Add CodeQL MCP server as shared agentic workflow
6164206 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add CodeQL MCP server as shared agentic workflow
2706f91 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for CodeQL as a shared agentic workflow Add CodeQL MCP server as shared workflow import Jan 15, 2026
Copilot AI requested a review from pelikhan January 15, 2026 18:22
pelikhan
pelikhan reviewed Jan 15, 2026
View reviewed changes
.github/workflows/shared/mcp/codeql.md Outdated
@@ -0,0 +1,213 @@
---
# CodeQL MCP Server
Copy link
Contributor

@pelikhan pelikhan Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot
Merge main
move to xml comment in body

Copy link
Contributor Author

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in commit a8386be. Merged main and moved documentation to XML comment in the body following the pattern from jupyter.md.

Copilot AI and others added 2 commits January 15, 2026 18:28
Merge remote-tracking branch 'origin/main' into copilot/add-codeql-su…
a0f6c79 
…pport-workflow
@pelikhan
Move CodeQL MCP documentation to XML comment body
a8386be 
- Removed comment header from YAML frontmatter
- Moved all documentation to XML comment after frontmatter closing
- Follows pattern from jupyter.md
- Merged main branch

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Copy link
Contributor

pelikhan commented Jan 15, 2026

@copilot make sure the codeql db uses a GitHub action cache, the db creation is also part of the agentic steps.

Update the dev agentic workflow to find security issues in the go source code

Copilot AI requested a review from pelikhan January 15, 2026 18:31
@pelikhan
Add CodeQL database caching and update dev workflow for security anal…
8ab7bf2 
…ysis

- Added GitHub Actions cache for CodeQL database with key based on repo and SHA
- Added automatic database creation with language detection (Go, JavaScript, Python, Java, Ruby, C#)
- Database only created if not found in cache (conditional step)
- Updated dev.md workflow to use CodeQL for Go security analysis instead of poem generation
- Added imports for shared/mcp/codeql.md in dev workflow
- Added security-events permission and create-issue safe output
- Updated documentation to reflect automatic database creation and caching

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 15, 2026

@copilot make sure the codeql db uses a GitHub action cache, the db creation is also part of the agentic steps.

Update the dev agentic workflow to find security issues in the go source code

Done in commit 8ab7bf2:

  1. CodeQL Database Caching: Added actions/cache@v4 with cache key codeql-db-{repository}-{sha} and restore fallback to previous commits
  2. Automatic Database Creation: Added conditional step that creates database only if cache miss, with automatic language detection (Go, JavaScript, Python, Java, Ruby, C#)
  3. Dev Workflow Updated: Changed from poem generator to Go security analyzer using CodeQL MCP server - analyzes Go source code for security vulnerabilities and creates issues for findings

Copilot AI changed the title Add CodeQL MCP server as shared workflow import Add CodeQL MCP server with database caching and security analysis workflow Jan 15, 2026
@pelikhan pelikhan closed this Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan