Collect repository CodeQL findings as a LLM-friendly report for easier fixing.
A TypeScript CLI tool that fetches CodeQL security scanning results from GitHub repositories and formats them into LLM-friendly reports. Perfect for feeding security alerts to AI assistants for analysis and remediation suggestions.
- 🔍 Automatic Repository Detection - Detects GitHub repository from local git remotes
- 🔐 Multiple Authentication Methods - Uses
GITHUB_TOKENenvironment variable or GitHub CLI (gh) - 📊 Multiple Output Formats - JSON, SARIF, Markdown, and Plain Text
- 🎚️ Configurable Detail Levels - Choose from minimum, medium, full, or raw detail
- 🎉 Clean Exit for No Alerts - Celebrates when no security issues are found
- 📝 Comprehensive Reports - Includes rule details, locations, messages, and metadata
- 🚀 Easy Integration - Use with
npxor install globally
No installation required:
npx @ivuorinen/gh-codeql-reportnpm install -g @ivuorinen/gh-codeql-report
gh-codeql-reportgit clone https://github.com/ivuorinen/gh-codeql-report.git
cd gh-codeql-report
npm install
npm run build- Node.js 18+ (ES Modules support)
- GitHub repository with CodeQL scanning enabled
- Authentication: Either:
GITHUB_TOKENenvironment variable withsecurity_events:readscope, or- GitHub CLI (
gh) authenticated
export GITHUB_TOKEN="ghp_your_token_here"
npx @ivuorinen/gh-codeql-reportgh auth login
npx @ivuorinen/gh-codeql-reportThe tool will automatically use gh CLI if GITHUB_TOKEN is not set.
Run in your repository directory:
npx @ivuorinen/gh-codeql-reportThis will:
- Detect the repository from your git remote
- Fetch all open CodeQL alerts
- Generate a
code-scanning-report-[timestamp].jsonfile with medium detail
gh-codeql-report [options]| Option | Alias | Description | Default |
|---|---|---|---|
--format |
-f |
Output format: json, sarif, txt, md |
json |
--detail |
-d |
Detail level: minimum, medium, full, raw |
medium |
--output |
-o |
Output file path | code-scanning-report-[timestamp].[format] |
--help |
-h |
Show help | |
--version |
-v |
Show version |
npx @ivuorinen/gh-codeql-report --format json --detail fullnpx @ivuorinen/gh-codeql-report --format md --output security-report.mdnpx @ivuorinen/gh-codeql-report --format sarif --output results.sarifnpx @ivuorinen/gh-codeql-report --detail raw --output raw-alerts.jsonStructured JSON output with flattened alert data. Ideal for programmatic processing and LLM consumption.
Standard SARIF v2.1.0 format. Compatible with many security tools and CI/CD platforms.
Human-readable markdown with tables and sections. Great for documentation and LLM context.
Plain text format for quick reading and terminal output.
Essential information only:
- Alert number and rule ID/name
- Severity and message
- File path and line numbers
- Commit SHA
Balanced detail for most use cases:
- Everything from minimum level
- Rule description
- Column numbers
- Alert state (open, dismissed, etc.)
Complete information:
- Everything from medium level
- Git reference (branch/tag)
- Analysis key and category
- Tool name and version
- Help text (if available)
Original API response without processing. Useful for debugging or custom processing.
0- Success (report generated or no alerts found)1- Error (authentication failed, repository not found, API error, etc.)
npm installnpm run buildCompiles TypeScript to dist/ directory.
# Using ts-node
npx tsx src/cli.ts
# Using compiled version
node dist/cli.js# Lint with Biome
npm run lint
# Lint with auto-fix
npm run lint:fix
# Format code
npm run format# Run all tests with coverage
npm test
# Current coverage: 98.91%The test suite includes:
- Unit tests for all formatters
- Integration tests for CLI
- Error handling scenarios
- GitHub API mocking
src/
├── cli.ts # Main CLI entry point
├── formatters/ # Output format generators
│ ├── json.ts
│ ├── sarif.ts
│ ├── markdown.ts
│ └── text.ts
├── lib/ # Core functionality
│ ├── auth.ts # GitHub authentication
│ ├── codeql.ts # CodeQL API client
│ ├── git.ts # Git remote parsing
│ └── types.ts # TypeScript types
└── __tests__/ # Test suites
The project uses GitHub Actions for:
- CI: Linting, testing, and building on every push/PR
- Release: Automated npm publishing on version tags
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Run tests (
npm test) - Run linting (
npm run lint:fix) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- ES Modules (type: module)
- TypeScript with strict mode
- Biome for linting and formatting
- 2-space indentation
- LF line endings
Feed the generated reports to AI assistants for:
- Security vulnerability analysis
- Remediation suggestions
- Code review assistance
- Documentation generation
Integrate into pipelines for:
- Security gate checks
- Automated reporting
- Trend analysis
- Alert notifications
- Centralized alert collection
- Custom report formatting
- Historical data export
- Integration with ticketing systems
Ensure you're in a git repository with a GitHub remote:
git remote -vCheck your token or GitHub CLI:
echo $GITHUB_TOKEN
# or
gh auth statusThis is good news! It means your repository has no open security issues.
MIT © 2025 Ismo Vuorinen