// Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
Build the project and automatically fix any build errors, compilation failures, or type mismatches. Use when the project fails to build, shows "broken" states, or after making significant changes.
Self-improvement skill for evolving Claude Code configuration. Use when you notice repeated mistakes, want to add new workflows, or optimize the development experience.
Run linters and fix violations, formatting errors, or style mismatches using Trunk. Use when code quality checks fail, before submitting PRs, or to repair "broken" linting states.
Safely upgrade Node.js dependencies in pnpm workspaces. Use when asked to "upgrade dependencies", "update packages", "check for updates", or fix version mismatches.
End-of-session capture of failures, surprises, and lessons so agent behavior and repo config improve. Use after non-trivial work; skip trivial sessions unless something went wrong.
Scan for vulnerable dependencies and CVEs via pnpm lint:security (Trunk Trivy/OSV-scanner), optional pnpm security:grype or pnpm lint:all (Trunk-all plus Grype). Use for dependency CVE checks, security-scoped lint, or post-bump verification.
| name | codeql-fix |
| description | Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings. |
| compatibility | Requires [CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases) on PATH (e.g. brew install codeql). Node.js per [`.node-version`](../../../.node-version) and pnpm per [`package.json`](../../../package.json) `packageManager`. Run `pnpm install` before `database create` so TypeScript and workspace resolution match the tree. Matches local flow in [`dev/codeql.sh`](../../../dev/codeql.sh) and [`.github/workflows/codeql.yml`](../../../.github/workflows/codeql.yml) when present. |
Use when the user asks to run CodeQL or static analysis, or to fix CodeQL findings (see frontmatter description).
PATH (e.g. brew install codeql).pnpm install before creating the database (use pnpm install --frozen-lockfile for CI-like reproducibility).All commands below assume cd "$(git rev-parse --show-toplevel)".
Do not commit CodeQL databases or SARIF outputs (large, machine-specific). They belong in .gitignore (for example .codeql_db/, codeql-results.sarif).
dev/codeql.sh./dev/codeql.sh
Or:
pnpm run codeql:local
This runs pnpm install, creates .codeql_db with javascript-typescript, analyzes with codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls, writes codeql-results.sarif, and passes --download to resolve query packs.
Do not pass --command for JavaScript/TypeScript-only database creation; it can prevent the normal extractor from running. Rely on pnpm install plus the extractor. Use pnpm build (for example via build-and-fix or the verifier) when you need a clean compile before other work; it is not required here for CodeQL DB creation in this template.
After pnpm install:
codeql database create .codeql_db --language=javascript-typescript --source-root . --overwrite
Analyze and emit SARIF:
codeql database analyze .codeql_db \
"codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls" \
--format=sarif-latest \
--output=codeql-results.sarif \
--download
codeql/javascript-queries:codeql-suites/javascript-code-scanning.qls instead.--download, run codeql pack download codeql/javascript-queries once.View SARIF in the VS Code SARIF extension (or upload where your org uses code scanning).
paths-ignore)Use the renderer when you want paths-ignore for large or generated trees, hand-edited query blocks, or parity with GitHub code scanning YAML.
REPO="$(git rev-parse --show-toplevel)"
"$REPO/.agents/skills/codeql-fix/scripts/render-code-scanning-config.sh" "$REPO" /tmp/codeql-config.yml
codeql database create .codeql_db --language=javascript-typescript --source-root . --codescanning-config=/tmp/codeql-config.yml --overwrite
Then run codeql database analyze as in section 2. See references/code-scanning-config.md.
If the relevant SARIF has an empty runs[].results array, there are no CodeQL alerts to fix for that suite; stop unless the user wants a broader suite or diagnostic queries.
When SARIF findings remain:
pnpm test, then pnpm lint (see AGENTS.md)../dev/codeql.sh (or pnpm run codeql:local) or repeat the manual create + analyze steps until clean or up to 3 iterations to avoid unbounded loops.See references/code-scanning-config.md and the official code scanning configuration reference.