{"meta":{"title":"Personnalisation de l’analyse avec des packs CodeQL","intro":"Vous pouvez utiliser des packs CodeQL pour exécuter des requêtes CodeQL gérées par d’autres personnes ou pour partager des requêtes CodeQL que vous avez développées.","product":"Sécurité et qualité du code","breadcrumbs":[{"href":"/fr/code-security","title":"Sécurité et qualité du code"},{"href":"/fr/code-security/tutorials","title":"Tutorials"},{"href":"/fr/code-security/tutorials/customize-code-scanning","title":"Personnaliser l’analyse du code"},{"href":"/fr/code-security/tutorials/customize-code-scanning/customizing-analysis-with-codeql-packs","title":"Personnalisation de l’analyse"}],"documentType":"article"},"body":"# Personnalisation de l’analyse avec des packs CodeQL\n\nVous pouvez utiliser des packs CodeQL pour exécuter des requêtes CodeQL gérées par d’autres personnes ou pour partager des requêtes CodeQL que vous avez développées.\n\n<!-- TRANSLATION_FALLBACK prop=markdown type=TokenizationError line=11 col=80 msg=\"Syntax Error in tag 'octicon' - Valid syntax: octicon '<name>' <key='value'>, line:11, col:80\" -->\nYou can customize your CodeQL analysis by downloading packs created by others and running them on your codebase. For more information, see [CodeQL query packs](/en/code-security/concepts/code-scanning/codeql/codeql-query-packs).\n\n## Downloading and using CodeQL query packs\n\nBefore you can use a CodeQL query pack to analyze a database, you must download any packages you require from the GitHub Container registry. This can be done either by using the `--download` flag as part of the `codeql database analyze` command, or running `codeql pack download`. If a package is not publicly available, you will need to use a GitHub App or personal access token to authenticate. For more information and an example, see [Uploading CodeQL analysis results to GitHub](/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-results-to-github).\n\n| Option                                                                             |                                                                                                                                                                                                            Required                                                                                                                                                                                                            | Usage                                                                                                                                                                                                                                                                                                                                                               |\n| ---------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| <code><span style=\"white-space: nowrap;\">\\<scope/name\\@version:path></span></code> |                                                     <svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-check\" aria-label=\"Required\" role=\"img\"><path d=\"M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z\"></path></svg>                                                    | Specify the scope and name of one or more CodeQL query packs to download using a comma-separated list. Optionally, include the version to download and unzip. By default the latest version of this pack is downloaded. Optionally, include a path to a query, directory, or query suite to run. If no path is included, then run the default queries of this pack. |\n| <code><span style=\"white-space: nowrap;\">--github-auth-stdin</span></code>         | <svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-x\" aria-label=\"Optional\" role=\"img\"><path d=\"M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z\"></path></svg> | Pass the CLI the GitHub App or personal access token created for authentication with GitHub's REST API from your secret store via standard input. This is not needed if the command has access to a `GITHUB_TOKEN` environment variable set with this token.                                                                                                        |\n\n> \\[!NOTE]\n> If you specify a particular version of a query pack to use, be aware that the version you specify may eventually become too old for the latest version of CodeQL to make efficient use of. To ensure optimal performance, if you need to specify exact query pack versions, you should reevaluate which versions you pin to whenever you upgrade the CodeQL CLI you're using.\n>\n> For more information about pack compatibility, see [CodeQL query packs reference](/en/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs#codeql-pack-compatibility).\n\n### Basic example of downloading and using query packs\n\nThis example runs the `codeql database analyze` command with the `--download` option to:\n\n1. Download the latest version of the `octo-org/security-queries` pack.\n2. Download a version of the `octo-org/optional-security-queries` pack that is *compatible* with version 1.0.1 (in this case, it is version 1.0.2). For more information on semver compatibility, see [npm's semantic version range documentation](https://github.com/npm/node-semver#ranges).\n3. Run all the default queries in `octo-org/security-queries`.\n4. Run only the query `queries/csrf.ql` from `octo-org/optional-security-queries`\n\n```shell\n$ echo $OCTO-ORG_ACCESS_TOKEN | codeql database analyze --download /codeql-dbs/example-repo \\\n    octo-org/security-queries \\\n    octo-org/optional-security-queries@~1.0.1:queries/csrf.ql \\\n    --format=sarif-latest --output=/temp/example-repo-js.sarif\n\n> Download location: /Users/mona/.codeql/packages\n> Installed fresh octo-org/security-queries@1.0.0\n> Installed fresh octo-org/optional-security-queries@1.0.2\n> Running queries.\n> Compiling query plan for /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql.\n> [1/2] Found in cache: /Users/mona/.codeql/packages/octo-org/security-queries/1.0.0/potential-sql-injection.ql.\n> Starting evaluation of octo-org/security-queries/query1.ql.\n> Compiling query plan for /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql.\n> [2/2] Found in cache: /Users/mona/.codeql/packages/octo-org/optional-security-queries/1.0.2/queries/csrf.ql.\n> Starting evaluation of octo-org/optional-security-queries/queries/csrf.ql.\n> [2/2 eval 694ms] Evaluation done; writing results to octo-org/security-queries/query1.bqrs.\n> Shutting down query evaluator.\n> Interpreting results.\n```\n\n### Direct download of CodeQL packs\n\nIf you want to download a CodeQL pack without running it immediately, then you can use the `codeql pack download` command. This is useful if you want to avoid accessing the internet when running CodeQL queries. When you run the CodeQL analysis, you can specify packs, versions, and paths in the same way as in the previous example:\n\n```shell\necho $OCTO-ORG_ACCESS_TOKEN | codeql pack download <scope/name@version:path> <scope/name@version:path> ...\n```\n\n### Downloading CodeQL packs from multiple GitHub container registries\n\nIf your CodeQL packs reside on multiple container registries, then you must instruct the CodeQL CLI where to find each pack. For more information, see [Workflow configuration options for code scanning](/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#downloading-codeql-packs-from-github-enterprise-server).\n\n## Specifying which queries to run in a CodeQL pack\n\nQuery specifiers are used by `codeql database analyze` and other commands that operate on a set of queries.\nThe complete form of a query specifier is `scope/name@range:path`, where:\n\n* `scope/name` is the qualified name of a CodeQL pack.\n* `range` is a [semver range](https://docs.npmjs.com/cli/v6/using-npm/semver#ranges).\n* `path` is a file system path to a single query, a directory containing queries, or a query suite file.\n\nWhen you specify a `scope/name`, the `range` and `path` are\noptional. If you omit a `range` then the latest version of the\nspecified pack is used. If you omit a `path` then the default query suite\nof the specified pack is used.\n\nThe `path` can be one of: a `.ql` query file, a directory\ncontaining one or more queries, or a `.qls` query suite file. If\nyou omit a pack name, then you must provide a `path`,\nwhich will be interpreted relative to the working directory\nof the current process. Glob patterns are not supported.\n\nIf you specify both a `scope/name` and `path`, then the `path` cannot\nbe absolute. It is considered relative to the root of the CodeQL\npack.\n\n### Example query specifiers\n\n* `codeql/python-queries` - All the queries in the default query suite of the latest version of the `codeql/python-queries` pack.\n\n* `codeql/python-queries@1.2.3` - All the queries in the default query suite of version `1.2.3` of the `codeql/python-queries` pack.\n\n* `codeql/python-queries@~1.2.3` - All the queries in the default query suite of the latest version of the `codeql/python-queries` pack that is >= `1.2.3` and < `1.3.0`.\n\n* `codeql/python-queries:Functions` - All queries in the `Functions` directory in the latest version of the `codeql/python-queries` pack.\n\n* `codeql/python-queries@1.2.3:Functions` - All queries in the `Functions` directory in version 1.2.3 of the `codeql/python-queries` pack.\n\n* `codeql/python-queries@1.2.3:codeql-suites/python-code-scanning.qls` - All queries in the `codeql-suites/python-code-scanning.qls` directory in version 1.2.3 of the `codeql/python-queries` pack.\n\n* `suites/my-suite.qls` - All queries in the `suites/my-suite.qls` file relative to the current working directory.\n\n> \\[!TIP]\n> The default query suite of the standard CodeQL query packs are `codeql-suites/<lang>-code-scanning.qls`. Several other useful query suites can also be found in the `codeql-suites` directory of each pack. For example, the `codeql/cpp-queries` pack contains the following query suites:\n>\n> * `cpp-code-scanning.qls` - Standard Code Scanning queries for C++. The default query suite for this pack.\n> * `cpp-security-extended.qls` - Queries from the default `cpp-code-scanning.qls` suite for C++, plus lower severity and precision queries.\n> * `cpp-security-and-quality.qls` - Queries from `cpp-security-extended.qls`, plus maintainability and reliability queries.\n>\n> You can see the sources for these query suites in the [CodeQL repository](https://github.com/github/codeql/tree/main/cpp/ql/src/codeql-suites). Query suites for other languages are similar.\n\n## Using model packs to analyze calls to custom dependencies\n\nYou can include published model packs in a code scanning analysis with the `--model-packs` option. For example:\n\n```shell\n$ codeql database analyze /codeql-dbs/my-company --format=sarif-latest \\\n  --model-packs my-repo/my-java-model-pack \\\n  --output=/temp/my-company.sarif codeql/java-queries\n```\n\nIn this example, the relevant queries in the standard query pack `codeql/java-queries` will use the dependency information from the model pack, `my-repo/my-java-model-pack`, to check for vulnerabilities in code that calls those dependencies.\n\nYou can specify multiple published model packs in an analysis.\n\nFor more information about writing your own model packs, see [Creating and working with CodeQL packs](/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-model-pack).\n\n### About published packs\n\nWhen a pack is published for use in analyses, the `codeql pack create` or `codeql pack publish` command verifies that the content is complete and also adds some additional pieces of content to it:\n\n* For query packs, a copy of each of the library packs it depends on, in the precise versions it has been developed with. Users of the query pack won't need to download these library packs separately.\n\n* For query packs, precompiled representations of each of the queries. These are faster to execute than it would be to compile the QL source for the query at each analysis.\n\nMost of this data is located in a directory named `.codeql` in the published pack, but precompiled queries are in files with a `.qlx` suffix next to the `.ql` source for each query. When analyzing a database with a query from a published pack, CodeQL will load these files instead of the `.ql` source. If you need to modify the content of a *published* pack, be sure to remove all of the `.qlx` files, since they may prevent modifications in the `.ql` files from taking effect."}