CodeQL SARIF Downloader

This tool helps you download and combine CodeQL SARIF reports from GitHub for a given repository, branch/PR, and commit. It is useful for extracting multi-language CodeQL scan results and producing a single SARIF file for further processing or integration.

Download location

https://github.com/mobb-dev/codeql-sarif-downloader

Prerequisites

• Python 3.7+

• A GitHub Personal Access Token (PAT) with the following scopes:

  • repo (for private repositories)

  • security_events

Setup

1. Generate a GitHub Personal Access Token (PAT):

   • Go to GitHub Settings > Developer settings > Personal access tokens

   • Click "Generate new token"

   • Select the following scopes:

     • Code scanning alerts: read

   • Copy the generated token (you will use it in the next step)

2. Edit config.json:

   • Open config.json in this directory.

   • Replace the placeholder value with your PAT:

     Copy

     {
       "github_pat": "YOUR_GITHUB_PAT_HERE"
     }

3. Install dependencies:

   Copy

   pip install -r requirements.txt

4. Run the script:

   Copy

   python generate_sarif_from_github_codeql.py

Usage

• Enter the repository in owner/repo format (e.g., antonychiu2/codeql-mobb-fixer-integration).

• The script will list all available CodeQL scan sets, grouped by branch/PR and commit.

• Each set shows the scan date, tool, and language category.

• Select the set number you want to download.

• The script will download all SARIF files for that set and combine them into a single SARIF file in the sarif_downloads directory.

Output

• Individual SARIF files: sarif_downloads/sarif_<analysis_id>.json

• Combined SARIF file: sarif_downloads/codeql_sarif_<owner_repo>_<ref>_<date>.json

Demo

Notes

• The combined SARIF file merges all runs from the selected set, matching the logic used in the GitHub Action workflow.

• The script only lists and downloads CodeQL analyses (not other tools).

• If you encounter errors, check your PAT permissions and repository visibility.