Organization-level CodeQL Query packs

[martinvks]

Hi,

do you have any plans to add support for custom query suites in default setup?
That is, something similar to the organization-level CodeQL model packs described in this blog post.

[jf205]

Hi @martinvks

We are working on making code scanning default setup more customizable using CodeQL packs. Custom CodeQL query packs will likely be coming up next but we don't have an exact timeframe yet.

Your feedback can help us make sure we integrate packs into code scanning in the right way. Can you say a little more about how you use custom CodeQL queries and how you would like to be able to use them in code scanning please?

[martinvks]

Hi @jf205, thank you for the quick reply.

We are using GHES and have a reusable workflow for code scanning to avoid duplication. In this workflow we specify queries to be run, in addition to the default queries. We also exclude some of the default queries with a custom configuration file. I find that scaling and maintaining our current setup is challenging as it requires adding a caller workflow in each repository we want to onboard. However, if we go with default setup we can only choose between the built in query suites. I understand that the configuration options in default setup is more limited than with advanced setup but being able to specify additional query packs would go a long way.