I open sourced a tool to create lists of repos to run GitHub CodeQL’s Multi-Repository Variant Analysis on, using a keyword search on GitHub.

It's a Bash script you can trigger with a VSCode build task. It uses the GitHub API (via the GitHub CLI) to fill a list in the VSCode settings.

It’s a stopgap before this sort of feature makes it into the product.

https://github.com/advanced-security/mrva-code-search

#MRVA #VariantAnalysis #CodeQL #GitHub #VSCode #BuildTask #SAST #VulnerabilityResearch

You can now run a single static analysis query across thousands of repos on GitHub using CodeQL's MRVA (Multi-repo Variant Analysis).

That's great both for security research and rapidly auditing exposure to a single vuln or weakness for security teams.

It works from the CodeQL extension for VSCode, with open source public repos & private repos where CodeQL Code Scanning is enabled.

https://github.blog/2023-03-09-multi-repository-variant-analysis-a-powerful-new-way-to-perform-security-research-across-github/

#GitHub #SecurityResearch #VulnerabilityResearch #CodeQL #VariantAnalysis #MRVA #SAST