example.yaml

# Copyright 2026 Qingwei Li
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

logRoot: logs
repoRoot: repos # repoRoot stores all repositories
dbRoot: codeql-db # dbRoot stores all databases created by codeql indexed by repository name

# clone
repositories:
  - urlPrefix: https://github.com/
    dir: github.com
    repos:
      - junegunn/fzf
      - gookit/filter
      - rclone/rclone v1.72.1 # you can specify branch/commit hash here with only spaces in between org/repo and branch. If repository eixsts, git checkout will be used to switch branch
  - dir: test/
    repos:
      - false-sharing

# build database
language: go # language to analyze
buildTimeout: 3600 # timeout for building repository
buildGrps:
  - buildRepos: # "*" means all repositories. "-" means repositories defined in the "repositories" section. You can also specify fullname of repositories to force re-build. Note that repositories with same fullname in different source will be re-built also.
    - "-"
    # buildCmd will be executed in the root directory of buildRepos. The behavior is decided by codeql. If a custom build script is specified, then the absolute path will be used.
    #
    # There are 3 types of buildCmd:
    #   1. empty or omitted: buildCmd lets codeql figure out the build command.
    #   2. custom script path: relative path from the project root to the build script.
    #   3. build command: the build command to execute in the root directory of buildRepos.
    #
    # If you use custom script, then 4 environment variables will be set:
    #   - REPO_DIR: the root directory of repository(This is used often in build phase)
    #   - PROJROOT: the root directory of the project
    buildCmd: ""

    # generate external predicates predicate
    # For repositories in each group, same genScript will be applied in the root directory of repositories
    # There are 2 types of genScript:
    #
    #   1. goescape: it means `go build -a -gcflags=-m=2 ./...`. The stderr will be redirected to $logRoot/path/to/repo/m2.log. Then escape_adapter is used to generate databases. The external predicate database is generated in $dbRoot/path/to/repo/ext/$external.csv.
    #   2. custom script path: relative path from the project root to the genScript script.
    #
    # If you use custom genScript, then 4 environment variables will be set:
    #   - PROJROOT: the root directory of the project
    #   - REPO_DIR: the root directory of repository
    #   - OUTPUT_DIR: the directory to store intermediate results/log to generate external predicate database
    #   - DB_EXT_DIR: the directory to store external predicate database
    extgenScript: goescape

# query
queryconfig:
  resultRoot: codeqlResult # resultRoot only for -collect csv. Bqrs/csv per db: <dbPath>/results/lslightly/qlstat/<queryPathNoExt>.<fmt>
  parallelCore: 20 # parallel cores to run query
  queryGrps:
    - queryDBs: # "*" means all repositories. "-" means repositories defined in the "repositories" section. Otherwise, use fullnames. Note that repositories with same fullname in different source will be queried.
        - false-sharing
        - rclone
      queries: # queries
        - escape_ext/heapvar_should_move.ql
        - escape_ext/ref_in_go_test.ql
        - escape_ext/heapvar_use_in_go_test.ql
        - escape_ext/same_scope_go_ref_heapvar_test.ql
        - escape_ext/debug_heapvar_c.ql
      externals: [movedToHeap] # names for external predicates. For each predicate $pred, the external database(csv file) is stored in $dbRoot/path/to/repo/ext/$pred.csv. Currently only "movedToHeap" is supported.