codeql-mcp

Runs a Model Context Protocol (MCP) server (via FastMCP) that wraps a CodeQL query server, exposing tools to register CodeQL databases, run CodeQL queries, decode .bqrs files to JSON, and locate predicate/class symbol positions.

Evaluated Mar 30, 2026 (21d ago)
Repo ↗ Ai Ml security devtools mcp codeql static-analysis sse automation agent-tools
⚙ Agent Friendliness
38
/ 100
Can an agent use this?
🔒 Security
25
/ 100
Is it safe for agents?
⚡ Reliability
26
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
75
Documentation
55
Error Messages
0
Auth Simplicity
10
Rate Limits
10

🔒 Security

TLS Enforcement
20
Auth Strength
5
Scope Granularity
0
Dep. Hygiene
50
Secret Handling
60

Security posture is not described: no auth, no TLS requirement, and no mention of sanitizing inputs, restricting filesystem paths, or limiting CodeQL execution. Likely intended for local use. Dependency hygiene is unknown; README lists minimal dependencies (fastmcp, httpx) but does not address vulnerabilities, locking, or scanning.

⚡ Reliability

Uptime/SLA
0
Version Stability
40
Breaking Changes
40
Error Recovery
25
AF Security Reliability

Best When

You have CodeQL installed locally and want an agent-friendly interface (MCP/SSE) to trigger CodeQL queries against local databases.

Avoid When

You need strong access control, multi-user isolation, or reliable rate-limited remote usage out of the box.

Use Cases

  • Integrate CodeQL query execution into an AI agent workflow via MCP
  • Automate vulnerability research tasks (querying databases, inspecting results)
  • Decode CodeQL binary result artifacts (.bqrs) into JSON for further processing
  • Map CodeQL symbols to source locations for code navigation

Not For

  • Providing a hosted/scalable CodeQL-as-a-service endpoint for untrusted tenants
  • Use as a secure remote API boundary (no auth/security posture described)
  • Running in environments where local execution of the CodeQL binary is not permitted

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

OAuth: No Scopes: No

No authentication mechanism is described in the README. Assumed local/loopback usage unless configured otherwise.

Pricing

Free tier: No
Requires CC: No

Open-source tooling; no pricing information provided.

Agent Metadata

Pagination
none
Idempotent
False
Retry Guidance
Not documented

Known Gotchas

  • Requires a CodeQL binary in PATH (or hardcoded path), so agent environments must match the runtime requirements
  • The README indicates Cursor/agents may invoke tools via natural language; without explicit examples of tool schemas/inputs, mapping LLM requests to exact tool parameters may require experimentation
  • No documented rate limits, auth, or operational safeguards; agent retries could amplify expensive CodeQL executions

Alternatives

Use CodeQL’s native CLI directly from your agent/tooling Build a REST/GraphQL wrapper around CodeQL with explicit auth and structured error handling Use an existing CodeQL automation framework or community MCP servers (if available)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for codeql-mcp.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.

8642
Packages Evaluated
17761
Need Evaluation
586
Need Re-evaluation
Community Powered