The CodeQL command line tool allows you to create databases from locally-sourced code. In this challenge, you will create a database for the vulnerable code we used in earlier exercises.
The GitHub Codespace that you created in the previous challenge comes with CodeQL CLI preinstalled. If you did create the codespace, you can skip this section and go to #create-a-codeql-database.
If you did not create the codespace in the previous challenge, the easiest way to install the CodeQL CLI locally is as an extension to the gh CLI tool — GitHub's official CLI tool.
- If you don't have
ghinstalled, install it using the instructions here. - Install the CodeQL extension using:
gh extensions install github/gh-codeql
gh codeql install-stubThe second command will enable you to run the CLI tool just by typing codeql instead of gh codeql.
If you encounter any issues, check the docs.
For creating a CodeQL database, you can use the examples from this repository, or choose another open source repository. For creating CodeQL databases with languages other than Python, see docs.
- Clone this repo to your local machine.
git clone https://github.com/GitHubSecurityLab/codeql-zero-to-hero.git- Move to the cloned directory.
cd codeql-zero-to-hero- Create a CodeQL database
gh codeql database create example-codeql-db --language=python- Deactivate the virtual environment
deactivate- Go to the VS Code CodeQL extension, click on the "Choose Database from folder" icon and select the "example-codeql-db" that you have created in step 5. If you haven't set up the premade codespace or installed VS Code with CodeQL extension, see the instructions in challenge 2.
And that's how you create and upload a CodeQL to continue with further analysis. Congrats on completing challenge 3! 🎉