一键导入
codeql-fix
Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Analyze sqlfluff-complexity JSON reports (hotspot digest and threshold tuning). Reuse --output when the file is no older than 5 minutes; otherwise run report. Scan paths and output path are always user-specified.
Guide users through configuring sqlfluff-complexity for a SQLFluff project by sampling reports, choosing a preset, explaining thresholds, per-directory strictness (nested .sqlfluff vs path_overrides), validating config, and recommending gradual CI rollout.
Inspect repository layout with tree and find, compare to AGENTS.md conventions, and fix misplaced or overly flat generated files. Use when auditing folder structure, after scaffolding or bulk file generation, when output looks flat, or when asked where code/tests/docs should live. Supports inspecting the repository root or a specified subdirectory.
Run linters and fix violations using Trunk when available; when Trunk is missing, run the equivalent tools from the dev environment (see .trunk/trunk.yaml and pyproject.toml) so agents still enforce Ruff, Pyright, Pylint, Bandit, and other enabled checks where possible.
Run unit tests and automatically fix code failures, regression bugs, or test mismatches. Use when tests are failing, after implementing new features, or to repair "broken" tests.
Build the project and automatically fix packaging or build errors (for example Hatch failures) and related breakage. Use when the project fails to build, shows "broken" states, or after making significant changes.
| name | codeql-fix |
| description | Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings. |
| compatibility | Requires [CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases) on PATH (e.g. brew install codeql). Python and [uv](https://github.com/astral-sh/uv) aligned with [`.python-version`](../../../.python-version) and [`pyproject.toml`](../../../pyproject.toml). Run `uv sync` or `make setup` before analysis when findings should reflect installed dependencies (matches [`.github/workflows/codeql.yml`](../../../.github/workflows/codeql.yml)). |
Use when the user asks to run CodeQL or static analysis, or to fix CodeQL findings (see frontmatter description).
PATH (e.g. brew install codeql).uv sync, make setup, or CI-style uv sync --frozen) so results match installed dependencies.All commands below assume cd "$(git rev-parse --show-toplevel)".
Do not commit CodeQL databases or SARIF outputs (large, machine-specific). They belong in .gitignore (for example .codeql_db/, codeql-results.sarif).
dev/codeql.sh)make codeql
This creates .codeql_db, analyzes with codeql/python-queries:codeql-suites/python-security-and-quality.qls, writes codeql-results.sarif, and passes --download to resolve query packs.
Create the database (Python needs no build command for extraction):
codeql database create .codeql_db --language=python --source-root . --overwrite
Analyze and emit SARIF:
codeql database analyze .codeql_db \
"codeql/python-queries:codeql-suites/python-security-and-quality.qls" \
--format=sarif-latest \
--output=codeql-results.sarif \
--download
codeql/python-queries:codeql-suites/python-code-scanning.qls instead.--download, run codeql pack download codeql/python-queries once.View SARIF in the VS Code SARIF extension (or upload where your org uses code scanning).
paths-ignore)Use the renderer when you want paths-ignore for large or generated trees, hand-edited query blocks, or parity with GitHub code scanning YAML.
REPO="$(git rev-parse --show-toplevel)"
"$REPO/.claude/skills/codeql-fix/scripts/render-code-scanning-config.sh" "$REPO" /tmp/codeql-config.yml
codeql database create .codeql_db --language=python --source-root . --codescanning-config=/tmp/codeql-config.yml --overwrite
Then run codeql database analyze as in section 2. See references/code-scanning-config.md.
If the relevant SARIF has an empty runs[].results array, there are no CodeQL alerts to fix for that suite; stop unless the user wants a broader suite or diagnostic queries.
When SARIF findings remain:
make test, then make lint (see AGENTS.md and the Makefile; make lint runs trunk check -a).make codeql or repeat the manual create + analyze steps until clean or up to 3 iterations to avoid unbounded loops.See references/code-scanning-config.md and the official code scanning configuration reference.