Add CodeQL for Python MCP and taskflow #3
Conversation
sylwia-budzynska
requested review from
JarLob,
kevinbackhouse,
m-y-mo and
p-
as code owners
There was a problem hiding this comment.
Pull request overview
This PR adds CodeQL analysis capabilities for Python projects through a new MCP (Model Context Protocol) server and associated taskflow. The implementation enables automated security auditing of Python codebases by querying CodeQL databases to identify remote flow sources and analyze potential security vulnerabilities.
Key Changes:
- New CodeQL Python MCP server with tools for querying databases, fetching file contents, and managing source analysis results
- Taskflow for automated security auditing of remote sources with multi-step analysis
- CodeQL query pack for identifying Python remote flow sources
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py |
Core MCP server implementation with database querying, file retrieval, and SQLite backend for storing analysis results |
src/seclab_taskflows/mcp_servers/codeql_python/codeql_sqlite_models.py |
SQLAlchemy models for storing CodeQL source analysis data |
src/seclab_taskflows/mcp_servers/codeql_python/queries/mcp-python/remote_sources.ql |
CodeQL query to identify remote flow sources in Python code |
src/seclab_taskflows/mcp_servers/codeql_python/queries/mcp-python/example.ql |
Example CodeQL query demonstrating query pack structure |
src/seclab_taskflows/mcp_servers/codeql_python/queries/mcp-python/codeql-pack.yml |
CodeQL pack configuration with Python dependencies |
src/seclab_taskflows/mcp_servers/codeql_python/queries/mcp-python/codeql-pack.lock.yml |
Locked dependency versions for CodeQL pack |
src/seclab_taskflows/mcp_servers/codeql_python/README.md |
Setup and usage instructions for the CodeQL Python server |
src/seclab_taskflows/toolboxes/codeql_python.yaml |
Toolbox configuration with server parameters and file URI documentation |
src/seclab_taskflows/taskflows/audit/remote_sources_local.yaml |
Multi-step taskflow for automated security analysis of remote sources |
src/seclab_taskflows/personalities/auditer.yaml |
Security expert personality configuration for code auditing tasks |
.gitignore |
Updated pattern to ignore all .env files |
Comments suppressed due to low confidence (4)
src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py:16
- Import of 'Context' is not used.
from fastmcp import FastMCP, Context # use FastMCP 2.0
src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py:24
- Import of 'zipfile' is not used.
import zipfile
src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py:25
- Import of 'httpx' is not used.
import httpx
src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py:26
- Import of 'aiofiles' is not used.
import aiofiles
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/seclab_taskflows/mcp_servers/codeql_python/codeql_sqlite_models.py
Outdated
Show resolved
Hide resolved
src/seclab_taskflows/mcp_servers/codeql_python/codeql_sqlite_models.py
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 13 changed files in this pull request and generated 14 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/seclab_taskflows/mcp_servers/codeql_python/queries/mcp-python/remote_sources.ql
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "notes": result.notes | ||
| } | ||
|
|
||
| def _resolve_query_path(language: str, query: str) -> Path: |
There was a problem hiding this comment.
Probably should refactor _resolve_query_path and resolve_db_path in seclab-taskflow-agent to take variables TEMPLATE_QUERY_PATHS and CODEQL_DBS_BASE_PATH instead of using globals and then we can reuse those here via import, but that'll be for another PR and also need to change seclab-taskflow-agent
| CodeQL supports the following languages, which you'll refer to by their | ||
| CodeQL acronyms and which are detailed below: | ||
|
|
||
| - actions: GitHub Actions workflows |
There was a problem hiding this comment.
May want to change this because this is a python specific mcp? Actually you may not need this whole server prompt at all because this prompt is all about choosing specific languages.
There was a problem hiding this comment.
I want to leave information about referring to python and potentially other unsupported languages, because I hope to work on the mcp server more in the future
No description provided.