功能描述

CodeQL 安全扫描与 LLM 智能分析融合工具。自动检测 CodeQL 安装、扫描指定目录、生成漏洞报告、LLM 分析、Jenkins 集成、输出验证 Checklist。

使用说明 (SKILL.md)

CodeQL + LLM 融合安全扫描 Skill

Name: Li_codeQL_LLM
Author: 43622283

🎯 核心功能

本 Skill 实现 CodeQL 扫描与 LLM 智能分析的完整自动化流程：

自动检测 - 检查 CodeQL 是否安装及版本
安全扫描 - 扫描指定目录或靶机项目
报告生成 - 生成 SARIF 格式和 Markdown 格式报告
LLM 分析 - 智能分析扫描结果，识别误报，给出优先级
验证清单 - 生成可执行的漏洞验证 Checklist

📦 前置要求

必需

CodeQL CLI (v2.10.0+)
Python 3.11+ (用于创建数据库)
uv 或 pip (Python 包管理)

可选

Node.js (用于某些语言的分析)
Java JDK (用于 Java 项目分析)

🚀 快速开始

1. 检查环境

# 检查 CodeQL 是否安装
codeql --version

# 如果未安装，下载并解压
wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip codeql-linux64.zip -d /opt/codeql
ln -s /opt/codeql/codeql/codeql /usr/local/bin/codeql

2. 使用 Skill

在对话中直接请求：

扫描 /path/to/project 的安全漏洞

或指定靶机目录：

扫描 /root/devsecops-python-web 靶机，生成验证清单

📋 命令参考

基础扫描

# 扫描当前目录
codeql database create codeql-db --language=python --source-root=.
codeql database analyze codeql-db python-security-extended.qls \
  --format=sarif-latest --output=results.sarif

通过 Skill 调用

在 OpenClaw 会话中：

/codeql_scan /path/to/project

或直接描述需求：

帮我扫描这个项目，用 CodeQL 分析安全问题，然后生成报告

📊 工作流程

Step 1: 环境检测

# 检查 CodeQL
which codeql && codeql --version

# 检查支持的語言
codeql resolve languages

Step 2: 创建数据库

# Python 项目
codeql database create codeql-db \
  --language=python \
  --source-root=/path/to/project \
  --overwrite

Step 3: 运行分析

# 下载查询包
codeql pack download codeql/python-queries

# 运行分析
codeql database analyze codeql-db \
  /root/.codeql/packages/codeql/python-queries/*/codeql-suites/python-security-extended.qls \
  --format=sarif-latest \
  --output=codeql-results.sarif

Step 4: LLM 分析

将 SARIF 结果发送给 LLM：

import json

with open('codeql-results.sarif') as f:
    data = json.load(f)

# 提取关键信息
results = data['runs'][0]['results']
for r in results:
    print(f"规则：{r['ruleId']}")
    print(f"描述：{r['message']['text']}")
    print(f"位置：{r['locations'][0]['physicalLocation']['artifactLocation']['path']}")

LLM 分析内容：

漏洞严重程度排序
误报识别
修复建议
利用难度评估

Step 5: 生成报告

生成以下文件：

CODEQL_SECURITY_REPORT.md - 完整扫描报告
漏洞验证_Checklist.md - 可执行的验证清单
codeql-results.sarif - 原始结果（可上传 GitHub Security）

🎯 使用场景

场景 1: 靶机漏洞分析

扫描 /root/devsecops-python-web 靶机
- 识别所有安全漏洞
- 按 OWASP Top 10 分类
- 生成利用 payload
- 输出验证 Checklist

场景 2: 项目安全审计

扫描 /path/to/my-project
- 检测严重和高危漏洞
- 给出修复优先级
- 生成审计报告

场景 3: CI/CD 集成

# .github/workflows/security.yml
- name: CodeQL Scan
  run: |
    codeql database create db --language=python
    codeql database analyze db python-security-extended.qls \
      --format=sarif-latest --output=results.sarif

- name: LLM Analysis
  run: |
    # 调用 LLM 分析 results.sarif
    # 生成修复建议

📁 输出文件说明

1. CODEQL_SECURITY_REPORT.md

包含：

执行摘要（漏洞总数、分布）
按严重程度分类的详细信息
每个漏洞的代码位置、描述、修复建议
统计图表

2. 漏洞验证_Checklist.md

包含：

可打印的检查清单
每个漏洞的验证步骤
测试 payload 和命令
预期结果
截图/日志记录项

3. codeql-results.sarif

标准 SARIF 格式
可上传到 GitHub Security
可用 VS Code SARIF Viewer 查看

🔧 配置选项

扫描语言

# Python
--language=python

# JavaScript
--language=javascript

# Java
--language=java

# Go
--language=go

# 多语言
--language=python,javascript

查询套件

# 安全扩展（推荐）
python-security-extended.qls

# 代码质量
python-code-quality.qls

# 安全与质量
python-security-and-quality.qls

# 代码扫描（默认）
python-code-scanning.qls

输出格式

# SARIF（推荐）
--format=sarif-latest

# CSV
--format=csv

# JSON
--format=json

🐛 常见问题

Q: CodeQL 数据库创建失败？

A: 确保项目可以正常构建：

# Python 项目
python -m pip install -r requirements.txt

# 然后创建数据库
codeql database create db --language=python

Q: 扫描结果太多？

A: 使用过滤：

# 只看严重和高危
codeql database analyze db python-security-extended.qls \
  --rerun --checkout=latest \
  --sarif-category=severity \
  --output=results.sarif

Q: 如何减少误报？

A:

使用 python-security-extended.qls 而非 python-code-scanning.qls
让 LLM 分析识别误报
手动验证关键漏洞

📚 相关资源

🎓 示例会话

完整流程示例

用户: 扫描 /root/devsecops-python-web 靶机

助手:

✅ 检测 CodeQL 已安装 (v2.22.1)
✅ 创建数据库 (13 个 Python 文件)
✅ 运行 52 条安全查询
✅ 发现 30 个漏洞
✅ 生成报告：
- CODEQL_SECURITY_REPORT.md
- 漏洞验证_Checklist.md
- codeql-results.sarif

用户: 分析最严重的 3 个漏洞

助手:

SQL 注入 - 行 44 - 利用：' OR '1'='1
代码注入 - 行 138 - 利用：__import__('os').system('id')
命令注入 - 行 88 - 利用：; cat /etc/passwd

详细利用方法见报告...

版本: 1.0.0
作者: OpenClaw Community
许可: MIT

安全使用建议

This skill appears to implement CodeQL scanning plus optional LLM analysis, but there are several red flags you should consider before installing or running it: - Privacy vs behavior: The PRIVACY_AND_SECURITY.md claims 'no remote transmission' but the code (analyze_with_llm.py and integration docs) sends SARIF results to an OpenClaw LLM agent (OpenClawClient.connect()). If you enable LLM_AUTO_ANALYZE or configure OPENCLAW_GATEWAY_WS_URL, your scan data will be transmitted to that gateway/agent. Only enable LLM integration when you trust the gateway and understand what data is sent. - Undeclared secrets/configs: The registry metadata lists no required env vars, but the code and docs require/expect Jenkins tokens, Gitea tokens, CODEQL_PATH, and OpenClaw gateway settings. Treat these as required secrets: do not put them into source control; store them securely and follow principle of least privilege. - Jenkins guidance is risky: Several docs show plaintext example credentials (devops:devsecops) and even suggest disabling CSRF or using passwords instead of API tokens. Do not follow instructions that weaken Jenkins security in production; always use API tokens and avoid disabling CSRF. - Exploit generation: The skill can generate proof-of-concept payloads / exploitation steps (LLM_GENERATE_EXPLOIT, 'exploit' analysis mode). Only run those features against systems you are authorized to test (e.g., intentionally vulnerable lab/CTF environments). Disable exploit generation in audits of real projects. - Operational recommendations: Run the skill in an isolated/test environment first, review and sanitize the .env example and all example credentials, set LLM_AUTO_ANALYZE=false unless you intentionally want remote analysis, and inspect the code (analyze_with_llm.py, scanner.py, jenkins_integration.py) to confirm what is transmitted. If you use Jenkins/Gitea integration, create dedicated least-privilege tokens and rotate/revoke them after testing. If you want, I can list the exact files and lines that call OpenClawClient, subprocesses, or reference Jenkins/Gitea/credentials so you can review them before running.

功能分析

Type: OpenClaw Skill Name: li-codeql-llm Version: 1.0.0 The skill bundle is a comprehensive and professionally documented tool for automating CodeQL security scans and performing LLM-based analysis of the results. It includes robust integration with Jenkins and Gitea, featuring automated pipeline creation and result uploading. While the bundle includes powerful capabilities such as executing Groovy scripts via the Jenkins API (in `auto_update_jenkins.py`) and performing shell commands to run CodeQL (in `scanner.py`), these actions are strictly aligned with its stated purpose of security auditing and CI/CD automation. The inclusion of a dedicated privacy statement (`PRIVACY_AND_SECURITY.md`) and a pre-scan sensitive information checker (`security_check.py`) further indicates a legitimate and security-conscious design.

能力评估

⚠ Purpose & Capability

Name/description match the code: the package performs CodeQL scans, generates SARIF/Markdown reports, integrates with Jenkins and an LLM. However the metadata/registry declares no required env vars while the code and docs expect many environment/config values (OPENCLAW_GATEWAY_WS_URL, JENKINS_URL/JENKINS_TOKEN, GITEA_TOKEN, CODEQL_PATH, LLM_* flags). The skill therefore underreports what it needs and will require broad config/credential setup to function.

⚠ Instruction Scope

SKILL.md and code explicitly instruct creating databases, running codeql, and sending SARIF results to an OpenClaw LLM agent (OpenClawClient.connect()). Documentation also includes generating exploit payloads for '靶机' scenarios and shows Jenkins automation steps that suggest disabling CSRF and embedding credentials (examples use plaintext devops:devsecops). These instructions go beyond simple scanning: they direct network transmission of potentially large/ sensitive SARIF data to a remote agent and include insecure Jenkins operations.

ℹ Install Mechanism

There is no formal install spec in the registry (instruction-only), which limits automatic risks. SKILL.md shows manual steps to download CodeQL from GitHub releases (a trusted host). Some guidance references installing an OpenClaw SDK from a local path and pip; nothing in the package auto-downloads arbitrary archives. Overall install risk is moderate but manual and requires user actions.

⚠ Credentials

Registry declares no required env vars or credentials, but the code and multiple docs expect and instruct use of many secrets/configs: JENKINS_USER/JENKINS_TOKEN, JENKINS_URL, GITEA_TOKEN, OPENCLAW_GATEWAY_WS_URL, CODEQL_PATH, LLM_* flags, and .env management. This mismatch is significant: the skill will attempt connections and operations that require sensitive tokens not declared up-front. Some docs even include example credentials and commands to disable Jenkins CSRF.

✓ Persistence & Privilege

Skill does not set 'always: true' and does not request unusual persistent platform privileges. It can invoke an LLM agent via OpenClaw (autonomous agent invocation is allowed by default), which increases blast radius if the skill is enabled — but that is platform-normal and not itself an unexplained privilege.

版本历史

v1.0.0

初始版本 - CodeQL+LLM 融合安全扫描器，作者：北京老李

元数据

Slug li-codeql-llm

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Li_codeQL_LLM 是什么？

CodeQL 安全扫描与 LLM 智能分析融合工具。自动检测 CodeQL 安装、扫描指定目录、生成漏洞报告、LLM 分析、Jenkins 集成、输出验证 Checklist。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 219 次。

如何安装 Li_codeQL_LLM？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install li-codeql-llm」即可一键安装，无需额外配置。

Li_codeQL_LLM 是免费的吗？

是的，Li_codeQL_LLM 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Li_codeQL_LLM 支持哪些平台？

Li_codeQL_LLM 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Li_codeQL_LLM？

由 Terry S Fisher（@43622283）开发并维护，当前版本 v1.0.0。

Li_codeQL_LLM