Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection across repositories at enterprise scale.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-github-advanced-security-for-code-scanningExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-github-advanced-security-for-code-scanning from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-github-advanced-security-for-code-scanning. Access via /implementing-github-advanced-security-for-code-scanning in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Use skill to generate boilerplate code, refactor legacy code, and write tests faster
Example
Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes
Reduce development time by 40-60% for repetitive coding tasks
Systematically review code for bugs, security issues, and style violations
Example
Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities
Catch 70%+ of code issues before human review, improve code quality
Trace errors through stack traces and identify root causes faster
Example
Analyze error logs, suggest probable causes, recommend fixes with code examples
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-github-advanced-security-for-code-scanning |
| description | Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection across repositories at enterprise scale. |
| domain | cybersecurity |
| subdomain | devsecops |
| tags | - github-advanced-security - codeql - sast - code-scanning - supply-chain-security - devops-security - shift-left |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - GV.SC-07 - ID.IM-04 - PR.PS-04 |
GitHub Advanced Security (GHAS) integrates CodeQL-powered static application security testing directly into the GitHub development workflow. CodeQL treats code as data, enabling semantic analysis that identifies security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and authentication flaws with significantly fewer false positives than traditional pattern-matching scanners. GHAS encompasses code scanning, secret scanning, dependency review, and Dependabot alerts to provide a comprehensive security posture for repositories.
CodeQL compiles source code into a queryable database, then executes security-focused queries against that database. The query suites ship with hundreds of checks mapped to CWE identifiers and cover OWASP Top 10, SANS Top 25, and language-specific vulnerability patterns. Custom queries can be authored using the CodeQL query language (QL) to detect organization-specific anti-patterns.
Default Setup enables code scanning with a single click from the repository's Code Security settings. GitHub automatically determines the languages present, selects appropriate query suites, and configures scanning triggers. This approach requires no workflow file and is ideal for rapid onboarding.
Advanced Setup generates a .github/workflows/codeql.yml workflow file that can be customized. Teams control scheduling, language matrices, build commands for compiled languages, additional query packs, and integration with third-party SARIF producers. Advanced setup is required when custom build steps, monorepo configurations, or private query packs are needed.
For enterprises managing hundreds of repositories, GHAS supports configuring code scanning at scale using the organization-level security overview. Administrators can enable default setup across all eligible repositories, define custom security configurations, and monitor adoption through the security coverage dashboard.
Create .github/workflows/codeql-analysis.yml:
name: "CodeQL Analysis"
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '30 2 * * 1' # Weekly Monday 2:30 AM UTC
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language: ['javascript-typescript', 'python', 'java-kotlin']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-extended,security-and-quality
# For compiled languages, add build commands below
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Install organization-specific query packs by referencing them in the workflow:
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java-kotlin
packs: |
my-org/[email protected]
codeql/java-queries:cwe/cwe-089
.github/dependabot.yml for automated dependency version updates| Suite | Description | Use Case |
|---|---|---|
default | High-confidence security queries | Production scanning with minimal false positives |
security-extended | Broader security queries including lower-severity findings | Comprehensive security coverage |
security-and-quality | Security plus code quality queries | Teams wanting both security and maintainability checks |
| Custom packs | Organization-authored queries | Detecting internal anti-patterns and compliance violations |
GHAS accepts SARIF (Static Analysis Results Interchange Format) uploads from external tools:
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: "semgrep"
The organization-level security overview provides:
/repos/{owner}/{repo}/code-scanning/alerts) for custom reporting dashboardsdefault suite and expand gradually to avoid developer alert fatigueCut debugging time by 30-50%, especially for unfamiliar codebases
Get explanations, examples, and best practices for unfamiliar frameworks
Example
Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples
Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks
Prerequisites
Time Estimate
15-30 minutes to install and see first useful output
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.
✗ Avoid when
Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: implementing-github-advanced-security-for-code-scanning is focused, and the summary matches what you get after install.
implementing-github-advanced-security-for-code-scanning has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: implementing-github-advanced-security-for-code-scanning is the kind of skill you can hand to a new teammate without a long onboarding doc.
implementing-github-advanced-security-for-code-scanning is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
We added implementing-github-advanced-security-for-code-scanning from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: implementing-github-advanced-security-for-code-scanning is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in implementing-github-advanced-security-for-code-scanning — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-github-advanced-security-for-code-scanning has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: implementing-github-advanced-security-for-code-scanning is focused, and the summary matches what you get after install.
implementing-github-advanced-security-for-code-scanning is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 68