Skip to main content

Run CodeQL code-quality analysis locally, mirroring the GitHub 'Code Quality' check

Project description

run-codeql

A pip-installable CLI tool that runs CodeQL code-quality analysis locally, mirroring the GitHub "Code Quality" check. Install once, run from any repository.

Installation

pip install run-codeql

This installs two commands: run-codeql and the shorthand rcql.

Requirements

  • Python 3.10+
  • CodeQL CLI — auto-downloaded to ~/.codeql-tools/ on first run if not already on PATH (SHA-256 verified, with retry/timeout policy)

Usage

Run from the root of any repository:

rcql                        # auto-detect languages, run full scan
rcql --lang python          # scan only Python
rcql --lang python,actions  # scan multiple specific languages

Options

Flag Description
--lang Comma-separated languages to scan (default: auto-detected)
--report-only Skip scanning; summarize existing SARIF reports from the last run
--verbose, -v Print each finding with rule ID, location, and message
--quiet, -q Suppress log output; print only final summaries (for agent/scripted use)
--files Comma-separated file paths or fnmatch patterns to restrict findings to (e.g. src/foo.py or src/*.py)
--exclude-files Comma-separated file paths or fnmatch patterns to exclude from findings (e.g. src/generated/**)
--rule Comma-separated rule IDs or fnmatch patterns to restrict findings to (e.g. py/unused-import or py/*)
--limit N Return at most N findings (after --files/--rule filtering)
--offset N Skip the first N findings before applying --limit (for pagination)
--include-third-party Include findings from third-party/vendor paths (default output suppresses common dependency noise)
--keep-db Reuse existing databases instead of recreating them
--keep-reports Do not delete prior SARIF reports before running
--no-fail Exit 0 even if findings or scan errors exist

Download behavior can be tuned with environment variables: RCQL_DOWNLOAD_TIMEOUT_SECONDS, RCQL_DOWNLOAD_RETRY_ATTEMPTS, and RCQL_DOWNLOAD_RETRY_SLEEP_SECONDS.

Report cleanup behavior before scans:

  • with --lang, only the matching <lang>-code-quality.sarif reports are replaced
  • without --lang, all prior SARIF reports are cleared first
  • with --keep-reports, no reports are deleted

Language auto-detection

When --lang is not specified, the tool scans the repo for source files and detects which CodeQL languages to run. Common dependency directories are skipped (node_modules, vendor, target, .venv, etc.).

Supported languages: python, rust, javascript-typescript, go, java, csharp, cpp, ruby, swift, actions

GitHub Actions workflows (.github/workflows/*.yml and .github/workflows/*.yaml) are detected automatically and trigger the actions scanner.

Outputs

  • Databases: .codeql/db-<lang>/
  • SARIF reports: .codeql/reports/<lang>-code-quality.sarif

A .codeql/.gitignore with * is created automatically on first run so these artifacts are not committed.

By default, rcql exits non-zero if any findings are present or any language scan fails. Use --no-fail to force a zero exit code for informational/reporting workflows.

Common workflows

Full scan

cd ~/projects/my-repo
rcql

Quick re-summary after a previous scan

rcql --report-only
rcql --report-only --verbose
rcql --report-only --lang rust

Agent-friendly output

Produces clean, structured output suitable for an AI agent — no log noise, findings include rule ID, file location, and message:

rcql -q -v --report-only

Example output:

[python] SARIF: /path/to/.codeql/reports/python-code-quality.sarif
  error: 1
  warning: 2
  Total: 3

  [error] py/sql-injection
    SQL injection
    src/db.py:42
    This query depends on user-provided value.

  [warning] py/unused-import
    Unused import
    src/utils.py:3
    Import of 'os' is not used.

Filtering findings for large codebases

When a scan returns hundreds or thousands of findings, use --files, --rule, --limit, and --offset to slice the results. These flags work with both --report-only and live scans.

By default, summary output suppresses common third-party noise paths such as node_modules, vendor, and .codeql mirror artifacts. Use --include-third-party to opt in to those findings.

Filter to a specific file:

rcql -q -v --report-only --files src/models/user.py

Filter using a glob pattern:

rcql -q -v --report-only --files 'src/api/*.py'

Filter to a specific rule:

rcql -q -v --report-only --rule py/unused-import

Filter to an entire rule category:

rcql -q -v --report-only --rule 'py/*'

Combine file and rule filters:

rcql -q -v --report-only --files src/models/user.py --rule py/unused-import

Paginate through a large result set:

# First 20 findings
rcql -q -v --report-only --limit 20

# Next 20
rcql -q -v --report-only --limit 20 --offset 20

When any filter or pagination flag is active, the summary line changes from Total: N to Shown: X (matched: Y) so you can see both how many were returned and how many matched in total.

Language blocks with zero matching findings are automatically suppressed when --files or --rule is active, so only relevant output is shown.

Single-language scan

rcql --lang actions --no-fail

Parallel execution

When scanning multiple languages, all scans run in parallel with CPU threads divided evenly across languages. Log timestamps make this visible.

Upgrading CodeQL

The CodeQL version is pinned in the package. The checksum for each release is fetched live from GitHub at download time, so no manual SHA updates are needed. To use a newer CodeQL version, update CODEQL_VERSION in run_codeql/settings.py and delete ~/.codeql-tools/ to trigger a fresh download on next run.

Development

git clone https://github.com/YOUR_USERNAME/run-codeql
cd run-codeql
pip install -e ".[dev]"

Make targets

Target Description
make test Run the test suite
make cov Run tests with coverage report
make lint Run ruff (check only)
make fmt Auto-format with black and ruff --fix
make fmt-check Check formatting without modifying files
make check fmt-check + lint (CI-safe, no modifications)
make fix lint + fmt combined (auto-fix everything)
make install Install in editable mode with dev deps

Running tests

make test       # run all 100+ tests
make cov        # with per-line coverage report

Tests cover SARIF filtering, language detection, download integrity, extraction safety, and CLI behavior using fixture SARIF files. No CodeQL installation is required to run the tests.

Package layout

File Purpose
run_codeql/cli.py Argument parsing and orchestration
run_codeql/download.py CodeQL download, retry, checksum, extraction
run_codeql/scanner.py Language detection and per-language scan execution
run_codeql/sarif.py SARIF parsing, filtering, and summary rendering
run_codeql/settings.py Constants and environment-tunable defaults

Contributing

Contributions are welcome. Please:

  1. Fork the repo and create a feature branch
  2. Run make check and make test before submitting
  3. Open a pull request with a clear description of the change

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

run_codeql-1.2.0.tar.gz (16.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

run_codeql-1.2.0-py3-none-any.whl (16.6 kB view details)

Uploaded Python 3

File details

Details for the file run_codeql-1.2.0.tar.gz.

File metadata

  • Download URL: run_codeql-1.2.0.tar.gz
  • Upload date:
  • Size: 16.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for run_codeql-1.2.0.tar.gz
Algorithm Hash digest
SHA256 6655b372f6d71c9c9ff1b4e5fb1d64395d066ca1f5f3fe0aea2f9d3a26bd38bb
MD5 c1bccffab2a33481ecc05ae6a5e7d4db
BLAKE2b-256 40e7b26a30a56b9d97882605db31f607e8d6e9c99184a4b46e72fc73d69515fa

See more details on using hashes here.

Provenance

The following attestation bundles were made for run_codeql-1.2.0.tar.gz:

Publisher: release.yml on dereknorrbom/run-codeql

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file run_codeql-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: run_codeql-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 16.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for run_codeql-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 66ef569e9d307c8d3d6ca1bddfdaa1a710bfedd54e46e4e786d1886b4e9b047a
MD5 f823474920f11a904d037396f7b16640
BLAKE2b-256 4823c079a5427078b7318c2603623500990785941050138ad6357ba23bc00b06

See more details on using hashes here.

Provenance

The following attestation bundles were made for run_codeql-1.2.0-py3-none-any.whl:

Publisher: release.yml on dereknorrbom/run-codeql

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page