mrva is a terminal-first approach to CodeQL multi-repo variant analysis. You can download existing CodeQL databases from the GitHub API, run variant analyses, and view results all from your local machine. This tool was inspired by the VSCode CodeQL extension, but instead runs as a standalone CLI tool.
Table of contents:
First, install mrva from PyPI:
$ python -m pip install mrva
$ mrva -hOr, use your favorite Python package installer like pipx or uv.
mrva has the following command tree:
mrvadownloadtoporgrepoqueryfrom-file
analyzepprintprint-ast(experimental)
Using mrva generally requires three steps:
- Downloading existing CodeQL databases from the GitHub API
- Running CodeQL variant analyses against these databases
- Viewing the results
First, ensure you have a codeql binary in your $PATH (releases here).
Next, create a directory to store mrva data:
$ mkdir dbs/This directory will eventually contain CodeQL databases, tool configuration, SARIF results, and other information mrva needs to operate.
Use the mrva download command to download CodeQL databases:
$ mrva download --token $GITHUB_TOKEN --language ruby dbs/ top --limit 100Note
download will automatically use the $GITHUB_TOKEN environment variable if it's available.
This command will download CodeQL databases of the top 100 GitHub Ruby projects (by star count). You can download other databases by specifying a different --language, or using a different download strategy like download org or download repo.
Use the mrva analyze command to analyze the downloaded databases:
$ mrva analyze dbs/ /path/to/queries -- --rerun --threads=0Any flags included after -- are passed directly to the CodeQL binary.
Note
mrva recommends using the --threads flag to process multiple queries within a single CodeQL analysis instead of parallelizing multiple CodeQL analyses. This prevents contention between mrva and CodeQL.
Use the mrva pprint command to view analysis results:
$ mrva pprint dbs/You can also use the pprint command to print raw CodeQL SARIF results:
$ codeql database analyze \
--format sarif-latest \
--sarif-add-file-contents \
--output output.sarif \
-- db/ query.ql
$ mrva pprint output.sarifMany of these commands take additional flags to modify their functionality. For example, analyze and pprint take --select and --ignore flags to filter repositories. Use the --help flag to explore all functionality provided by a given command.
mrva uses poetry for dependency and configuration management.
Before proceeding, install project dependencies with the following command:
$ poetry install --with devNote
When running mrva analyze in the Poetry environment you may need to pass -- to poetry run like poetry run -- mrva analyze. This prevents Poetry from getting confused about which arguments are its arguments, mrva's arguments, and codeql's arguments.
Lint all project files with the following command:
$ poetry run pre-commit run --all-filesRun Python tests with the following command:
$ poetry run pytest --cov