# Static Analysis Rules and CodeQL
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

Static analysis rules encode code patterns, data-flow conditions, or lint conventions that can be run automatically before an agent changes or ships code.

## Core Explanation

Code agents need machine-checkable guardrails. Static analysis rules help detect unsafe API use, tainted data flow, dependency risks, insecure defaults, style violations, and project-specific patterns that a general model may miss.

Rule systems differ in depth. Some rules match syntax patterns; others query semantic graphs or data-flow paths. For agent workflows, the most useful rules are explainable, tested, versioned, and connected to remediation guidance.

## Source-Mapped Facts

- CodeQL documentation says CodeQL queries analyze code for issues related to security, correctness, maintainability, and readability. ([source](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/))
- Semgrep documentation says Semgrep rules encapsulate pattern matching logic and data flow analysis to scan code for security issues, style violations, bugs, and more. ([source](https://semgrep.dev/docs/writing-rules/overview))
- ESLint documentation says developers can create custom rules when core rules do not cover a use case. ([source](https://eslint.org/docs/latest/extend/custom-rules))

## Further Reading

- [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)
- [Semgrep rule writing](https://semgrep.dev/docs/writing-rules/overview)
- [ESLint custom rules](https://eslint.org/docs/latest/extend/custom-rules)