I'd like to cross-check the vulnerabilities covered by GitHub's CodeQL service and OWASP Top Ten Web Application Security Risks so that I know where the gaps are.
I can't find a list of vulnerabilities covered by CodeQL. Does GitHub publish the list of rules?
The source code of the CodeQL queries is available in the GitHub repository. The documentation also lists the existing queries:
However, which queries (or rather query suites) are run as part of GitHub workflows depends on the configuration of the workflow.