一键导入
codeql-fix
Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Reload in-memory artifacts after dbt run or a known artifact change. Use on the same target without restarting MCP.
Establish the dbt artifact root for this session (local path, s3://, or gs://). Use before any other dbt-tools analysis primitive.
Check MCP session state—target, load time, stale flag, runs, warehouse type. Use as a gate before analysis primitives.
Establish the dbt artifact root for this session (local path, s3://, or gs://). Use before any other dbt-tools analysis primitive.
Check whether dbt artifacts exist, are fresh, and which readiness level applies. Use as a gate before manifest- or run_results-based analysis.
Return metadata and context for one dbt resource by unique_id. Use when explaining what a model, source, or test does.
| name | codeql-fix |
| description | Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings. |
| compatibility | Requires [CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases) on PATH (e.g. brew install codeql). Node.js per [`.node-version`](../../../.node-version) and pnpm per [`package.json`](../../../package.json) `packageManager`. Run `pnpm install` before `database create` so TypeScript and workspace resolution match the tree. Matches local flow in [`dev/codeql.sh`](../../../dev/codeql.sh) and [`.github/workflows/codeql.yml`](../../../.github/workflows/codeql.yml) when present. |
Use when the user asks to run CodeQL or static analysis, or to fix CodeQL findings (see frontmatter description).
PATH (e.g. brew install codeql).pnpm install before creating the database (use pnpm install --frozen-lockfile for CI-like reproducibility).All commands below assume cd "$(git rev-parse --show-toplevel)".
Do not commit CodeQL databases or SARIF outputs (large, machine-specific). They belong in .gitignore (for example .codeql_db/, codeql-results.sarif).
dev/codeql.sh./dev/codeql.sh
Or:
pnpm run codeql:local
This runs pnpm install, creates .codeql_db with javascript-typescript, analyzes with codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls, writes codeql-results.sarif, and passes --download to resolve query packs.
Do not pass --command for JavaScript/TypeScript-only database creation; it can prevent the normal extractor from running. Rely on pnpm install plus the extractor. Use pnpm build (for example via build-and-fix or the verifier) when you need a clean compile before other work; it is not required here for CodeQL DB creation in this template.
After pnpm install:
codeql database create .codeql_db --language=javascript-typescript --source-root . --overwrite
Analyze and emit SARIF:
codeql database analyze .codeql_db \
"codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls" \
--format=sarif-latest \
--output=codeql-results.sarif \
--download
codeql/javascript-queries:codeql-suites/javascript-code-scanning.qls instead.--download, run codeql pack download codeql/javascript-queries once.View SARIF in the VS Code SARIF extension (or upload where your org uses code scanning).
paths-ignore)Use the renderer when you want paths-ignore for large or generated trees, hand-edited query blocks, or parity with GitHub code scanning YAML.
REPO="$(git rev-parse --show-toplevel)"
"$REPO/.claude/skills/codeql-fix/scripts/render-code-scanning-config.sh" "$REPO" /tmp/codeql-config.yml
codeql database create .codeql_db --language=javascript-typescript --source-root . --codescanning-config=/tmp/codeql-config.yml --overwrite
Then run codeql database analyze as in section 2. See references/code-scanning-config.md.
If the relevant SARIF has an empty runs[].results array, there are no CodeQL alerts to fix for that suite; stop unless the user wants a broader suite or diagnostic queries.
When SARIF findings remain:
pnpm test, then pnpm lint (see AGENTS.md)../dev/codeql.sh (or pnpm run codeql:local) or repeat the manual create + analyze steps until clean or up to 3 iterations to avoid unbounded loops.See references/code-scanning-config.md and the official code scanning configuration reference.