Dotnet-skills dotnet-codeql
Use the open-source CodeQL ecosystem for .NET security analysis. Use when a repo needs CodeQL query packs, CLI-based analysis on open source codebases, or GitHub Action setup with explicit licensing caveats for private repositories.
install
source · Clone the upstream repo
git clone https://github.com/managedcode/dotnet-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/managedcode/dotnet-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/catalog/Tools/CodeQL/skills/dotnet-codeql" ~/.claude/skills/managedcode-dotnet-skills-dotnet-codeql && rm -rf "$T"
manifest:
catalog/Tools/CodeQL/skills/dotnet-codeql/SKILL.mdsource content
CodeQL for .NET
Trigger On
- the repo uses or wants CodeQL for .NET security analysis
- GitHub code scanning is part of the CI plan
Value
- produce a concrete project delta: code, docs, config, tests, CI, or review artifact
- reduce ambiguity through explicit planning, verification, and final validation skills
- leave reusable project context so future tasks are faster and safer
Do Not Use For
- teams that need a tool with no private-repo licensing caveat
Inputs
- the nearest
AGENTS.md - hosting model: open-source repo, private repo, or manual CLI workflow
- current GitHub Actions workflow
Quick Start
- Read the nearest
and confirm scope and constraints.AGENTS.md - Run this skill's
through theWorkflow
until outcomes are acceptable.Ralph Loop - Return the
with concrete artifacts and verification evidence.Required Result Format
Workflow
- Treat CodeQL as a security-analysis tool, not as a style checker.
- Make the licensing and hosting model explicit before proposing it as the default gate.
- Prefer manual build mode for compiled .NET projects when precision matters.
Bootstrap When Missing
If
CodeQL- Detect current state:
rg -n "codeql-action|security-events|CodeQL" .github/workflowscommand -v codeql
- Prefer CI-first setup for repository scanning using
andgithub/codeql-action/init
.github/codeql-action/analyze - Configure explicit .NET build mode in workflow (
when precision matters).manual - Add local CLI usage only when the task requires local query work.
- Run the workflow or local analyze path and return
orstatus: configured
.status: improved - If licensing or hosting constraints reject CodeQL for this repo, return
with caveat documented.status: not_applicable
Deliver
- explicit CodeQL setup or an explicit rejection with caveat documented
- reproducible CI or local commands for running CodeQL in this repo
Validate
- the chosen CodeQL path is allowed for the repo type
- build mode is documented and reproducible
Ralph Loop
Use the Ralph Loop for every task, including docs, architecture, testing, and tooling work.
- Plan first (mandatory):
- analyze current state
- define target outcome, constraints, and risks
- write a detailed execution plan
- list final validation skills to run at the end, with order and reason
- Execute one planned step and produce a concrete delta.
- Review the result and capture findings with actionable next fixes.
- Apply fixes in small batches and rerun the relevant checks or review steps.
- Update the plan after each iteration.
- Repeat until outcomes are acceptable or only explicit exceptions remain.
- If a dependency is missing, bootstrap it or return
with explicit reason and fallback path.status: not_applicable
Required Result Format
:status
|complete
|clean
|improved
|configured
|not_applicableblocked
: concise plan and current iteration stepplan
: concrete changes madeactions_taken
: final skills run, or skipped with reasonsvalidation_skills
: commands, checks, or review evidence summaryverification
: top unresolved items orremainingnone
For setup-only requests with no execution, return
status: configuredLoad References
references/codeql.mdreferences/queries.mdreferences/workflow.md
Example Requests
- "Set up CodeQL for this public .NET repo."
- "Explain the CodeQL caveat for private repos."