Code CodeQL Databases and Query Packs

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

CodeQL databases and query packs give coding agents structured security evidence that is more precise than grep over source text.

## Core Explanation

Agents that triage static-analysis findings need to know what code was extracted, which language database was built, which query pack ran, and how results were exported. Otherwise, the agent may treat missing alerts as proof of safety or compare SARIF generated from different commits, query versions, or build commands.

Useful evidence includes source root, language, build command, extractor logs, CodeQL database path, query pack name and version, query suite, SARIF output, alert locations, data-flow paths, and any excluded generated or vendored code.

## Source-Mapped Facts

- CodeQL documentation says CodeQL first extracts a relational representation of each source file in the codebase to create a database. ([source](https://codeql.github.com/docs/codeql-overview/about-codeql/))
- GitHub Docs says query packs contain pre-compiled queries that can be evaluated on a CodeQL database. ([source](https://docs.github.com/en/code-security/concepts/code-scanning/codeql/codeql-query-packs))
- GitHub Docs says codeql database analyze runs queries against a CodeQL database and produces results such as SARIF. ([source](https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze))

## Further Reading

- [About CodeQL](https://codeql.github.com/docs/codeql-overview/about-codeql/)
- [CodeQL Query Packs](https://docs.github.com/en/code-security/concepts/code-scanning/codeql/codeql-query-packs)
- [codeql database analyze](https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze)