CodeQL Collector
Detects GitHub CodeQL security scanning via GitHub Code Scanning check-runs or CLI integration in CI pipelines. Writes to normalized SAST Component JSON paths, enabling tool-agnostic SAST policies.
codeql to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/codeql@v1.0.0
What This Integration Collects
This integration includes 3 collectors that gather metadata from your systems.
github-app
Detects CodeQL scans on pull requests by querying GitHub check-runs API for the github-advanced-security app. Waits for scan completion and captures check status, conclusion, and URLs.
running-in-prs
Proves CodeQL is running on PRs by querying Lunar Hub for CodeQL data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening.
cicd
Detects CodeQL CLI or legacy codeql-runner executions in CI pipelines. Captures command metadata and, when the SARIF output file is available on disk (from codeql database analyze/interpret-results), collects the raw SARIF and normalizes findings into .sast.findings and .sast.issues.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"sast": {
"running_in_prs": true,
"source": {
"tool": "codeql",
"version": "2.16.0",
"integration": "ci"
},
"findings": {
"critical": 0,
"high": 1,
"medium": 3,
"low": 0,
"total": 4
},
"issues": [
{
"severity": "high",
"rule": "go/sql-injection",
"file": "db/query.go",
"line": 42,
"message": "Unsanitized input used in SQL query"
}
],
"summary": {
"has_critical": false,
"has_high": true
},
"native": {
"codeql": {
"github_app": {
"id": 12345,
"name": "CodeQL",
"status": "completed",
"conclusion": "success"
},
"cicd": {
"cmds": [
{"cmd": "codeql database interpret-results --format=sarif-latest --output=../results/go.sarif", "version": "2.16.0"}
]
},
"sarif": {}
}
}
}
}Configuration
Configure this collector in your lunar-config.yml.
Secrets
This collector requires the following secrets to be configured in Lunar:
| Secret | Description |
|---|---|
GH_TOKEN
|
GitHub token for API access (required for github-app collector) |
Documentation
View on GitHubCodeQL Collector
Detects GitHub CodeQL security scans and collects scan metadata from GitHub Code Scanning or CLI integrations.
Overview
This collector detects CodeQL static analysis via GitHub's Code Scanning integration or CLI usage in CI pipelines. CodeQL is GitHub's semantic code analysis engine — unlike pattern-matching tools, it compiles source code into a relational database and queries it for vulnerabilities using inter-procedural data flow analysis.
All data is written to the .sast category, enabling tool-agnostic SAST policies that work across CodeQL, Semgrep, Snyk Code, and other SAST tools.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.sast.source |
object | Source metadata (tool, integration, optional version) |
.sast.findings |
object | Severity counts: critical, high, medium, low, total |
.sast.issues[] |
array | Individual findings with severity, rule, file, line, message |
.sast.summary |
object | has_critical, has_high booleans |
.sast.native.codeql.github_app |
object | Raw GitHub Code Scanning check-run data |
.sast.native.codeql.cicd |
object | CodeQL CLI invocations detected in CI |
.sast.native.codeql.sarif |
object | Raw SARIF output from CodeQL analysis (when available) |
.sast.running_in_prs |
boolean | Compliance proof that PRs are being scanned |
Collectors
| Collector | Hook Type | Description |
|---|---|---|
github-app |
code (PRs only) | Detects CodeQL via GitHub Code Scanning check-runs |
running-in-prs |
code (default branch) | Proves CodeQL is running on PRs (compliance proof for default branch) |
cicd |
ci-after-command | Detects codeql and legacy codeql-runner executions in CI, collects SARIF |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/codeql@main
on: ["domain:your-domain"]
secrets:
GH_TOKEN: ${GH_TOKEN}
The github-app collector requires a GH_TOKEN secret for GitHub API access. CodeQL posts check-runs via the github-advanced-security app. The collector queries the check-runs API, filters by this app slug, and waits for completion.
The cicd collector matches both codeql and codeql-runner (legacy) binary executions in CI. When the traced command is codeql database analyze or codeql database interpret-results with a --output= flag, the collector reads the SARIF file from disk and collects it as raw data plus normalized findings counts and issues.
The running-in-prs collector queries the Lunar Hub database to verify PR scanning. It uses lunar sql connection-string to obtain database credentials. If unavailable, the collector skips silently.
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from CodeQL Collector.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements