You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Changes on main since the latest tagged release that have not yet been included in a stable release.
Preview theme: the next phase of MCP-assisted CodeQL query development, incorporating and extending ideas for GitHubSecurityLab/seclab-taskflow-agent and seclab-taskflows for multi-repository variant analysis workflows.
Highlights
Persistent MRVA workflow state and caching — Introduced a new SqliteStore backend plus opt-in annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and seclab-taskflow-agent integration. (#169)
Rust language support — Added first-class Rust support with PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, and CallGraphFromTo queries, bringing the total supported languages to 10. (#195)
Bug fixes and design improvements from v2.25.1-next.2 evaluation — Fixed 5 bugs across bqrs_interpret, bqrs_info, annotation_search, audit_add_notes, and query_results_cache_compare; added database_analyze auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. (#199)
Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. (#169)
MCP Server Resources
URI
Description
codeql://languages/rust/ast
Rust AST reference resource with verified accessor predicates for CodeQL query development. (#195)
CodeQL Query Packs
Pack
Description
Rust tools pack
Added PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, and CallGraphFromTo support for Rust. (#195)
Infrastructure & CI/CD
Added Rust coverage to CI and release workflows, including query unit tests and VSIX bundling. (#195)
Added client integration tests for the new Rust queries and for the annotation, audit, and cache tool suites, including an MRVA triage workflow end-to-end test. (#169, #195)
Changed
MCP Server Tools
Tool
Change
codeql_query_run
Query results are now auto-cached after SARIF interpretation, enabling later lookup and comparison workflows. (#169)
query metadata and database resolution
Added in-memory caching with mtime-based invalidation and deduplicated resolution logic for better performance. (#169)
codeql_bqrs_interpret
Added optional database parameter mapped to --source-archive for SARIF source context; validates that src.zip or src exists. (#199)
codeql_bqrs_info
Breaking: renamed files (array) parameter to file (string) to match the CLI which accepts exactly one file. (#199)
codeql_database_analyze
Results are now auto-cached after SARIF output for query_results_cache_compare and query_results_cache_retrieve; concurrent calls to the same database are serialized via a per-database mutex. (#199)
audit_add_notes
Added findingId as preferred lookup; owner/repo/sourceLocation/line are now optional fallback fields. (#199)
annotation_search
Category field is now matched with case-insensitive COLLATE NOCASE alongside the existing FTS index. (#199)
query_results_cache_compare
SARIF content fallback for result count is now gated on SARIF output format, avoiding unnecessary JSON parsing of non-SARIF cache entries. (#199)
VS Code Extension
McpProvider.requestRestart() now invalidates the environment cache and bumps a +rN revision suffix so VS Code reliably restarts the MCP server after configuration changes. (#196)
Cached the extension version in the provider constructor to avoid repeated synchronous reads of package.json. (#196)
New codeql-mcp.enableAnnotationTools setting (default: true) auto-sets ENABLE_ANNOTATION_TOOLS and MONITORING_STORAGE_LOCATION environment variables; additionalEnv overrides for advanced users. (#199)
Infrastructure & CI/CD
Refactored monolithic server logic into focused database-resolver, query-resolver, result-processor, and codeql-version modules for maintainability and reuse. (#169)
Fixed
Workspace folder changes could leave the MCP server stopped but not restarted — The VS Code extension now rebuilds the environment and forces a proper restart when workspace folders change. (#196)
codeql_bqrs_interpret unusable through MCP interface — Added database parameter mapped to --source-archive with src.zip/src fallback and clear error when neither exists. (#199)
query_results_cache_compare reported totalResultCount: 0 — Result count is now computed from SARIF runs[0].results.length at cache time; compare tool falls back to parsing cached SARIF content only for SARIF-format entries. (#199)
annotation_search ignored category field — Extended FTS search condition to also match category with case-insensitive COLLATE NOCASE. (#199)
audit_add_notes ignored findingId — Added findingId as preferred direct-lookup alternative to the composite key fields. (#199)
codeql_bqrs_infofiles array caused CLI error — Changed parameter from files (array) to file (string) to match the CLI expectation. (#199)
Per-database mutex lock key not normalized — Database lock key now uses realpath to prevent bypassing serialization with relative paths, symlinks, or different casing. (#199)
Dependencies
Replaced lowdb with sql.js as the persistence backend, removing the previous JSON-file storage dependency. (#169)
Added codeql/rust-all support for the new Rust tool queries. (#195)
Upgraded CodeQL CLI to v2.25.1 — Full compatibility with the latest CodeQL CLI release, including upgraded QL pack dependencies for all supported languages. (#192)
Added CHANGELOG.md with full release history — Comprehensive changelog following Keep a Changelog format, with a maintenance agent skill and markdownlint CI enforcement. (#193)
Added
Infrastructure & CI/CD
Added CHANGELOG.md covering all stable releases (v2.24.0 through v2.25.0) with Highlights, Added, Changed, Fixed, Dependencies, and other standard sections. (#193)
Added maintain-changelog agent skill (.github/skills/maintain-changelog/SKILL.md) with a 5-phase workflow for drafting, classifying, and promoting changelog entries. (#193)
Added changelog_md.instructions.md applied automatically when editing CHANGELOG.md. (#193)
Added markdownlint-cli with .markdownlint.yml config and .markdownlintignore, enforced via npm run lint:md and the lint-and-format.yml CI workflow. (#193)
Fixed
upgrade-packs.sh not enforcing explicit upgrades — Fixed the pack upgrade script to always regenerate lock files and display output on failure, preventing silent staleness during CodeQL CLI upgrades. (#192)
Duplicated code detection prompts and tools — New workflow prompts and supporting tools for identifying and reporting duplicated code patterns across CodeQL databases, contributed by @MichaelRFairhurst. (#109)
CallGraphFromTo queries for all supported languages — Unified call-graph entry-point queries added for every language pack. (#168)
Upgraded CodeQL CLI to v2.25.0 — Full compatibility with the latest CodeQL CLI release. (#161)
Added
MCP Server Tools
Tool
Description
check_for_duplicated_code
Detects duplicated code patterns across CodeQL databases to support the duplicate-code workflow prompts. (#109)
find_overlapping_queries
Finds overlapping or redundant CodeQL queries to support the duplicate-code workflow prompts. (#109)
MCP Server Prompts
Prompt
Description
check_for_duplicated_code
Guides agents through finding and reporting duplicated code patterns across a CodeQL database. (#109)
find_overlapping_queries
Guides agents through identifying overlapping or redundant CodeQL queries. (#109)
CodeQL Query Packs
Pack
Description
CallGraphFromTo
Unified call-graph entry-point queries added for all supported languages (actions, cpp, csharp, go, java, javascript, python, ruby, swift). (#168)
Changed
Infrastructure & CI/CD
Pinned all GitHub Actions to full-length commit SHAs for supply-chain integrity. (#190)
Updated dependabot configuration to group related PRs. (#191)
Improved prompt error handling and added relative path support for prompt resolution. (#153)
Updated action versions and fixed the build-and-test step in the update-codeql workflow. (#158)
Added support for a target upgrade version parameter in update-codeql.yml. (#160)
Fixed
codeql_database_analyzeadditionalArgs were silently dropped instead of being forwarded to the CLI. (#188)
Database lock contention fix — Resolved a critical compatibility issue where .lock files created by the GitHub.vscode-codeql extension prevented the MCP server from running CLI commands. A new DatabaseCopier syncs databases into a managed, lock-free directory under the extension's globalStorage. (#119)
New CodeQL search and discovery tools — Two new tools (search_ql_code, codeql_resolve_files) eliminate the need for LLMs to use grep or shell access for QL code search and file discovery. (#119)
Automatic CodeQL CLI discovery — The MCP server now automatically finds the CodeQL CLI binary installed by the GitHub.vscode-codeql extension off-PATH, using distribution.json with a fallback to scanning distribution* directories. (#91)
Rewritten MCP resources as actionable LLM-oriented guides — All static MCP resources rewritten with clearer URIs and actionable content. (#113)
Added
MCP Server Tools
Tool
Description
search_ql_code
Searches QL source code by text or regex pattern across resolved CodeQL packs and workspace folders, returning matched lines with surrounding context.
codeql_resolve_files
Discovers files by extension or glob pattern within CodeQL databases and packs, enabling LLMs to find source files without CLI dependencies.
MCP Server Resources
URI
Description
codeql://server/overview
MCP server orientation guide (replaces getting-started.md)
Language-specific security query guides (migrated from .github/skills/)
Changed
MCP Server Tools
Tool
Change
profile_codeql_query_from_logs
Rewritten with two-tier design: compact inline JSON + line-indexed detail file. Parser now captures RA operations and pipeline-stage tuple progressions. Output is deterministic (no timestamps). Uses streaming async generators for large evaluator logs.
codeql_query_run
resolveDatabasePath helper auto-resolves multi-language database roots and throws on ambiguity instead of silently picking the first candidate.
codeql_database_analyze
Same resolveDatabasePath helper applied for consistent database path resolution.
codeql_resolve_database
Now probes child directories for databases; uses resolveDatabasePath for ambiguity detection.
MCP Server Prompts & Resources
All existing workflow prompts and resources updated to remove grep/CLI references in favor of search_ql_code and codeql_resolve_files.
Infrastructure & CI/CD
Added CODEQL_MCP_TMP_DIR and CODEQL_MCP_WORKSPACE_FOLDERS environment variables for workspace-local scratch directories. (#119)
Added query-file-finder contextual hints for missing tests, documentation, and expected results. (#119)
Set ENABLE_MONITORING_TOOLS=false for client integration tests to avoid CI interference. (#115)
Fixed
Database lock contention with vscode-codeql — .lock files created by the vscode-codeql query server prevented codeql_query_run and codeql_database_analyze from executing. A new DatabaseCopier syncs databases into a managed lock-free directory. (#119)
Version-bearing files not updated during release — update-release-version.sh now tracks server/src/codeql-development-mcp-server.ts (const VERSION) alongside all other version files. (#90)
MCP resource content missing at runtime in VSIX — Embedded MCP resource content at build time via esbuild loader for VSIX compatibility. (#111)
CODEQL_PATH tests failing on Windows CI — Fixed robust binary search and MSYS2 FIFO skip for windows-latest. (#115)
TOCTOU race condition in search_ql_code — Eliminated filesystem race (read-then-check instead of stat-then-read); added symlink cycle detection. (#119)
OOM risk with large files in search_ql_code — Large files (>5 MB) are now streamed line-by-line instead of loaded into memory. (#119)
Transient HTTP 503 in install-packs.sh — Added exponential backoff retry (3 attempts, 10s/20s/40s) for codeql pack install to handle GHCR.io rate limits. (#121)
New VS Code extension — Introduced advanced-security.vscode-codeql-development-mcp-server, a VS Code extension distributed as a VSIX archive that bridges the GitHub CodeQL extension and the MCP server. It auto-discovers databases, query results, and MRVA results; bundles the server and all CodeQL tool packs; manages the server lifecycle; and registers an MCP Server Definition Provider. (#61)
Five new MCP server tools — list_codeql_databases, list_query_run_results, list_mrva_run_results, profile_codeql_query_from_logs, and read_database_source. (#61, #70)
New FP/FN diagnosis prompt — run_query_and_summarize_false_positives guides agents through running queries and diagnosing precision issues. (#70)
Added
MCP Server Tools
Tool
Description
list_codeql_databases
Discovers CodeQL databases in configured base directories. Returns path, language, CLI version, and creation time for each database.
list_query_run_results
Lists discovered query run result directories. Returns path, query name, timestamp, language, and available artifacts. Supports filtering by queryName, language, or queryPath.
list_mrva_run_results
Lists discovered MRVA run results. Returns run ID, timestamp, repositories scanned, analysis status, and available artifacts.
profile_codeql_query_from_logs
Parses CodeQL query evaluation logs into a performance profile without re-running the query. Works with logs from codeql query run, codeql database analyze, or vscode-codeql query history.
read_database_source
Reads source file contents directly from a CodeQL database's source archive (src.zip) or extracted source directory (src/), enabling agents to inspect code at alert locations without the original source tree.
MCP Server Prompts
Prompt
Description
run_query_and_summarize_false_positives
Guides an agent through running a CodeQL query, reading source code from the database archive via read_database_source, and diagnosing false positives / false negatives to improve query precision.
VS Code Extension
Initial release of advanced-security.vscode-codeql-development-mcp-server VSIX. (#61)
Changed
MCP Server Tools
Tool
Change
codeql_bqrs_decode
Added text and bqrs output formats, --result-set selection, --sort-key / --sort-direction sorting, --no-titles flag, --entities column display control, and --rows pagination.
codeql_bqrs_info
Enhanced description with cross-references to related tools and workflow guidance.
codeql_database_analyze
Improved logging and error messages; auto-creates output directories.
codeql_query_run
Minor logging improvements.
register_database
Error objects now chain the original cause for better debugging.
MCP Server Prompts
All existing workflow prompts updated to use #tool_name hashtag references (instead of backtick formatting) for tool mentions, improving consistency in VS Code Copilot Chat.
Prompt templates embedded at build time via esbuild's loader: { '.md': 'text' }.
Infrastructure & CI/CD
Refactored the release workflow into separate child workflows with isolated deployment environments. (#45)
Added a nightly CodeQL CLI update workflow that automates version bumps across all packages. (#58)
Added dedicated GitHub Actions workflows for building, testing (with coverage), linting, bundling, and packaging the VS Code extension. (#61)
Added stdio transport support to the client integration test runner alongside SSE. (#77)
Release artifacts now include version strings in filenames (e.g., codeql-development-mcp-server-v2.24.2.vsix). (#81)
Release workflow uses a concurrency group keyed by version, preventing overlapping releases. (#81)
Added .md documentation enforcement for all .ql tool queries. (#81)
Fixed
VSIX bundle missing server dependencies — esbuild external configuration excluded required Node.js dependencies (express, cors, zod, etc.) from the bundled VSIX, causing runtime failures. (#71)
Prompt templates not found at runtime — Refactored prompt loading from readFileSync to build-time static imports for all deployment scenarios. (#71)
Client integration test timeouts — Resolved timeout issues in client integration test fixtures that caused flaky CI runs. (#74)
VS Code extension version not tracked in release scripts — update-release-version.sh and nightly CodeQL CLI update workflow now detect and update the version in extensions/vscode/package.json. (#75)
VSIX-bundled server pack installation — Extension now prefers the bundled server/ directory inside the VSIX for CodeQL pack resolution. (#81)
Error chaining in register_database — All error paths now preserve the original cause. (#61)
Initial public release of the CodeQL Development MCP Server.
Highlights
First public release, tested against CodeQL CLI v2.24.0.
MCP server with tools for running CodeQL queries, decoding BQRS results, analyzing databases, and managing CodeQL packs.
PrintAST, PrintCFG, CallGraphFrom, and CallGraphTo tool queries for all supported languages (actions, cpp, csharp, go, java, javascript, python, ruby, swift).
Client integration test suite with SSE transport support.
npm-installable package and tarball release artifacts.
Added
Core MCP server (codeql-development-mcp-server) with SSE and stdio transports.