Skip to content

Releases: advanced-security/codeql-development-mcp-server

v2.24.2

24 Feb 03:11
@data-douser data-douser
v2.24.2
ca1c919

Choose a tag to compare

View all tags
v2.24.2 Latest
Latest

v2.24.2

Highlights

🚢 New VS Code Extension: advanced-security.vscode-codeql-development-mcp-server 🚀

This release introduces a new VS Code extension distributed as a VSIX archive (codeql-development-mcp-server-v2.24.2.vsix) that acts as a "bridge" between the GitHub CodeQL extension and the CodeQL Development MCP Server. When installed, the extension:

  • Automatically discovers CodeQL databases, query run results, and MRVA (Multi-Repository Variant Analysis) results managed by the GitHub.vscode-codeql extension, and exposes them to MCP-connected AI agents via environment variables.
  • Bundles the MCP server and all CodeQL tool packs inside the VSIX, so that installation is self-contained — no separate npm install required.
  • Manages the MCP server lifecycle (start/stop/restart) from within VS Code, with configurable settings for the server command, arguments, and npm version.
  • Registers an MCP Server Definition Provider, enabling VS Code's built-in MCP support to discover and connect to the server automatically.

Download: The VSIX is attached as a release asset. Install it via code --install-extension codeql-development-mcp-server-v2.24.2.vsix or through the VS Code Extensions sidebar ("Install from VSIX…").

New MCP Server Tools

Tool Description
list_codeql_databases Discovers CodeQL databases in configured base directories. Returns path, language, CLI version, and creation time for each database.
list_query_run_results Lists discovered query run result directories. Returns path, query name, timestamp, language, and available artifacts (evaluator-log, BQRS, SARIF, query.log, summary). Supports filtering by queryName, language, or queryPath.
list_mrva_run_results Lists discovered MRVA run results. Returns run ID, timestamp, repositories scanned, analysis status, and available artifacts.
profile_codeql_query_from_logs Parses CodeQL query evaluation logs into a performance profile without re-running the query. Works with logs from codeql query run, codeql database analyze, or vscode-codeql query history.
read_database_source Reads source file contents directly from a CodeQL database's source archive (src.zip) or extracted source directory (src/), enabling agents to inspect code at alert locations without the original source tree.

New MCP Server Prompts

Prompt Description
run_query_and_summarize_false_positives Guides an agent through running a CodeQL query, reading source code from the database archive via read_database_source, and diagnosing false positives / false negatives to improve query precision.

Changed MCP Server Tools

Tool Change
codeql_bqrs_decode Added text and bqrs output formats, --result-set selection, --sort-key / --sort-direction sorting, --no-titles flag, --entities column display control, and --rows pagination. Improved description to document the typical decode workflow.
codeql_bqrs_info Enhanced description with cross-references to related tools and workflow guidance.
codeql_database_analyze Improved logging and error messages; auto-creates output directories.
codeql_query_run Minor logging improvements.
register_database Error objects now chain the original cause for better debugging.

Changed MCP Server Prompts

All existing workflow prompts have been updated to use #tool_name hashtag references (instead of backtick formatting) for tool mentions, improving consistency when rendered in VS Code Copilot Chat. Additionally, prompt templates are now embedded at build time via esbuild's loader: { '.md': 'text' }, fixing a critical bug where prompts were missing at runtime in VSIX and npm-installed deployments.

Bug Fixes

  • VSIX bundle missing server dependencies — Fixed a packaging bug where the esbuild external configuration excluded required Node.js dependencies (express, cors, zod, etc.) from the bundled VSIX extension, causing runtime failures. (#71)
  • Prompt templates not found at runtime — Refactored prompt loading from filesystem reads (readFileSync) to build-time static imports, ensuring prompt templates are available in all deployment scenarios (monorepo, npm, VSIX). (#71)
  • Client integration test timeouts — Resolved timeout issues in client integration test fixtures that caused flaky CI runs. (#74)
  • VS Code extension version not tracked in release scripts — The update-release-version.sh script and nightly CodeQL CLI update workflow now correctly detect and update the version in extensions/vscode/package.json alongside other version-bearing files. (#75)
  • VSIX-bundled server pack installation — The extension now prefers the bundled server/ directory inside the VSIX for CodeQL pack resolution, falling back to npm-installed packages only if necessary. (#81)
  • Error chaining in register_database — All error paths now preserve the original cause, making debugging registration failures easier. (#61)

Infrastructure & CI/CD

  • Refactored the release workflow into separate child workflows with isolated deployment environments. (#45)
  • Added a nightly CodeQL CLI update workflow that automates version bumps across all packages. (#58)
  • Added dedicated GitHub Actions workflows for building, testing (with coverage), linting, bundling, and packaging the VS Code extension. (#61)
  • Added stdio transport support to the client integration test runner alongside SSE. (#77)
  • Release artifacts now include version strings in filenames (e.g., codeql-development-mcp-server-v2.24.2.vsix, codeql-development-mcp-server-v2.24.2.tar.gz). (#81)
  • Release workflow uses a concurrency group keyed by version, preventing overlapping releases. (#81)
  • Added .md documentation enforcement for all .ql tool queries. (#81)

Dependency Updates

  • Upgraded CodeQL CLI dependency to v2.24.2. (#65)
  • Bumped actions/download-artifact from 6 to 7. (#49)
  • Bumped dotenv from 17.2.4 to 17.3.0. (#54)
  • Bumped eslint from ^10.0.0 to ^10.0.1 across all packages. (#75)

What's Changed (PRs)

  • Refactor release into separate child workflows with isolated deployment environments by @data-douser in #45
  • Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #49
  • Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in #54
  • Add nightly CodeQL CLI update workflow by @data-douser in #58
  • Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in #61
  • Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in #65
  • Add a new...
Read more

Contributors

MichaelRFairhurst, dependabot, and data-douser
Assets 13
0 Join discussion

v2.24.2-rc3

23 Feb 19:28
@github-actions github-actions
v2.24.2-rc3
68c5bcf

Choose a tag to compare

View all tags
v2.24.2-rc3

What's Changed

Full Changelog: v2.24.2-rc2...v2.24.2-rc3

Contributors

data-douser
Loading

v2.24.2-rc2

23 Feb 16:20
@github-actions github-actions
v2.24.2-rc2
dff4f58

Choose a tag to compare

View all tags
v2.24.2-rc2

What's Changed

  • Prep for v2.24.1 release by @data-douser in #38
  • Refactor release into separate child workflows with isolated deployment environments by @data-douser in #45
  • Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #49
  • Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in #54
  • Add nightly CodeQL CLI update workflow by @data-douser in #58
  • Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in #61
  • Fixes and integration tests for MCP-provided prompts and VSIX bundle by @data-douser in #71
  • Avoid timeouts in client integration test fixtures by @data-douser in #74
  • Add a new prompt & tool for diagnosing FPs/FNs from query runs. by @MichaelRFairhurst in #70
  • Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in #65
  • Fixes for v2.24.2 release prep by @data-douser in #75

New Contributors

Full Changelog: v2.24.0...v2.24.2-rc2

Contributors

MichaelRFairhurst, dependabot, and data-douser
Loading

v2.24.1

11 Feb 06:26
@github-actions github-actions
v2.24.1
6d2fcfd

Choose a tag to compare

View all tags
v2.24.1

What's Changed

Full Changelog: v2.24.0...v2.24.1

Contributors

data-douser
Loading

v2.24.0 -- Initial public release

09 Feb 20:50
@data-douser data-douser
v2.24.0
e21e634
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.24.0 -- Initial public release

The v2.24.0 release is the initial public release of the advanced-security/codeql-development-mcp-server repository.
This release is meant to be used with, and has been tested against, v2.24.0 of the codeql CLI.

What's Changed

  • Update README.md and **/package.json files to prepare for open-source release by @data-douser in #14
  • Security fixes for TOCTOU & OS tmp files by @data-douser in #18
  • Ensure cross-platform support via client integration tests run on ubuntu-latest and windows-latest by @data-douser in #22
  • Exclude exit nodes from Java PrintCFG query for deterministic test ou… by @data-douser in #23
  • More prep for initial public release readiness by @data-douser in #24
  • Use dynamic package version and respect CODEQL_MCP_TMP_DIR env var by @data-douser in #27
  • Improve MCP server integrations with codeql execute *-server servers by @data-douser in #29
  • Restructure docs: replace tools-reference.md with ql-mcp/ primitives docs and add testing strategy by @Copilot in #33
  • Upgrade codeql CLI and dependencies to v2.24.0 by @Copilot in #31

Full Changelog: v2.23.9...v2.24.0

Contributors

data-douser
Loading
0 Join discussion