This article is specifically about writing queries to use with the analyse de base de données command to produce interpreted results. For conceptual information about custom queries, see Custom CodeQL queries.
Writing a valid query
Before running a custom analysis you need to write a valid query, and save it in a file with a .ql extension. There is extensive documentation available to help you write queries. For more information, see CodeQL queries.
Including query metadata
When running queries with the database analyze command, you must include the following two properties to ensure that the results are interpreted correctly:
-
Query identifier (
@id): a sequence of words composed of lowercase letters or digits, delimited by/or-, identifying and classifying the query. -
Query type (
@kind): identifies the query as a simple alert (@kind problem), an alert documented by a sequence of code locations (@kind path-problem), for extractor troubleshooting (@kind diagnostic), or a summary metric (@kind metricand@tags summary).
For more information about these metadata properties, see Metadata for CodeQL queries and the Query metadata style guide.
Packaging custom queries
When you write queries to share with others, save them in a custom CodeQL pack.
To package your custom queries:
- Create a CodeQL pack with a
qlpack.ymlfile in the root directory. - Save your custom queries (
.qlfiles) in the pack root or its subdirectories. - Configure the
qlpack.ymlfile to specify:- How to compile the queries
- Dependencies on other CodeQL packs and libraries
- Query suite definitions
For more information about
qlpack.ymlproperties, see Personnalisation de l’analyse avec des packs CodeQL.
- Publish your pack to GitHub Packages - the GitHub Container registry. For more information, see Personnalisation de l’analyse avec des packs CodeQL.
Including query help for custom CodeQL queries in SARIF files
For information about query help and documentation formats, see Custom CodeQL queries.
To include query help in SARIF files when running code scanning analyses:
-
Write your query help in one of the following formats:
- Markdown file: Save a Markdown file alongside your query with the same name (for example,
my-query.mdformy-query.ql) .qhelpfile: Write query help in.qhelpformat, then convert it to Markdown before running the analysis. For more information, see Query help files and Test des fichiers d’aide aux requêtes.
- Markdown file: Save a Markdown file alongside your query with the same name (for example,
-
Run
codeql database analyzewith the--sarif-add-query-helpoption:codeql database analyze <database> --format=sarif-latest --output=results.sarif --sarif-add-query-helpRemarque
The
--sarif-add-query-helpoption is available from CodeQL CLI v2.7.1 onwards. -
Upload the SARIF file to GitHub.