securitygithubowaspcodeql

Does GitHub publish the CodeQL ruleset?


I'd like to cross-check the vulnerabilities covered by GitHub's CodeQL service and OWASP Top Ten Web Application Security Risks so that I know where the gaps are.

I can't find a list of vulnerabilities covered by CodeQL. Does GitHub publish the list of rules?


Solution

  • The source code of the CodeQL queries is available in the GitHub repository. The documentation also lists the existing queries:

    However, which queries (or rather query suites) are run as part of GitHub workflows depends on the configuration of the workflow.