Summary
Several usability issues were observed during an extended CodeQL analysis session using ql-mcp tools via an LLM agent (VS Code Copilot). These fall into two categories: tool input validation bugs that waste invocations, and missing capabilities that forced manual workarounds.
Related: #207 (the planned gh-ql-mcp-client Go rewrite addresses some of the SARIF workflow gaps noted here)
1. Validation errors revealed one-at-a-time
Tools affected: audit_store_findings, annotation_create (likely all tools using JSON Schema validation)
Current state: When multiple required parameters are missing, the tool returns an error for only the first missing field. After supplying that field and re-invoking, a second missing field is reported, and so on. This forces iterative trial-and-error to discover the full parameter contract.
Example with audit_store_findings:
- Invoked without
owner → must have required property 'owner'
- Added
owner, re-invoked → must have required property 'sourceLocation'
Example with annotation_create:
- Invoked without
category → must have required property 'category'
- Added
category, re-invoked → must have required property 'entityKey'
- Added
entityKey → success
Desired state: A single validation error listing ALL missing required properties (e.g. must have required properties: 'owner', 'sourceLocation').
Requirements
2. database_create uses kebab-case params with unhelpful rejection message
Tool: codeql_database_create
Current state: The tool accepts source-root (kebab-case) but rejects sourceRoot (camelCase) with:
Your input to the tool was invalid (must NOT have additional properties)
The error does not identify which property was rejected. LLM agents commonly default to camelCase JSON keys, making this a frequent first-invocation failure.
Desired state: Either accept both naming conventions, or include the rejected property name in the error message.
Requirements
3. Python database extracts node_modules/ template files
Tool: codeql_database_create
Current state: The Python extractor picks up template .py files from node_modules/ (e.g. aws-cdk init templates with placeholder syntax). These produce py/syntax-error results in the analysis that are always false positives.
Desired state: node_modules/ is excluded by default for interpreted language extractors (matching CodeQL's own LGTM.com behavior), or an --exclude-paths parameter is surfaced.
Requirements
4. sarif_list_rules lacks per-rule result counts
Tool: sarif_list_rules
Current state: Returns full rule metadata (description, help, tags, severity) for every rule in the SARIF file but does not include the count of results per rule. To determine which rules actually produced findings and how many, the SARIF file must be parsed separately.
Desired state: Each rule entry includes a resultCount field.
Requirements
5. No SARIF-to-git-diff correlation tool
Tool: (missing — feature request)
Current state: There is no MCP tool for determining whether a given SARIF alert is associated with code locations changed in a set of git commits. To triage SARIF results by branch, we had to:
- Run
git diff --name-only <merge-base>..HEAD to get changed files
- Parse each SARIF file's
results[].locations[].physicalLocation.artifactLocation.uri
- Cross-reference manually to classify findings as "new on this branch" vs "pre-existing"
Desired state: A tool like sarif_diff_by_commits that accepts a SARIF path and a git ref range (or commit list), and returns results partitioned into {new: [...], preexisting: [...]} based on whether the finding's file (and optionally line range) overlaps with the diff. GitHub's Code Scanning API already performs this logic server-side for PR checks.
Requirements
Summary
Several usability issues were observed during an extended CodeQL analysis session using
ql-mcptools via an LLM agent (VS Code Copilot). These fall into two categories: tool input validation bugs that waste invocations, and missing capabilities that forced manual workarounds.Related: #207 (the planned
gh-ql-mcp-clientGo rewrite addresses some of the SARIF workflow gaps noted here)1. Validation errors revealed one-at-a-time
Tools affected:
audit_store_findings,annotation_create(likely all tools using JSON Schema validation)Current state: When multiple required parameters are missing, the tool returns an error for only the first missing field. After supplying that field and re-invoking, a second missing field is reported, and so on. This forces iterative trial-and-error to discover the full parameter contract.
Example with
audit_store_findings:owner→must have required property 'owner'owner, re-invoked →must have required property 'sourceLocation'Example with
annotation_create:category→must have required property 'category'category, re-invoked →must have required property 'entityKey'entityKey→ successDesired state: A single validation error listing ALL missing required properties (e.g.
must have required properties: 'owner', 'sourceLocation').Requirements
allErrors: true(or equivalent) in the JSON Schema validator so all violations are reported in one response2.
database_createuses kebab-case params with unhelpful rejection messageTool:
codeql_database_createCurrent state: The tool accepts
source-root(kebab-case) but rejectssourceRoot(camelCase) with:The error does not identify which property was rejected. LLM agents commonly default to camelCase JSON keys, making this a frequent first-invocation failure.
Desired state: Either accept both naming conventions, or include the rejected property name in the error message.
Requirements
unknown property 'sourceRoot' — did you mean 'source-root'?)3. Python database extracts
node_modules/template filesTool:
codeql_database_createCurrent state: The Python extractor picks up template
.pyfiles fromnode_modules/(e.g. aws-cdk init templates with placeholder syntax). These producepy/syntax-errorresults in the analysis that are always false positives.Desired state:
node_modules/is excluded by default for interpreted language extractors (matching CodeQL's own LGTM.com behavior), or an--exclude-pathsparameter is surfaced.Requirements
node_modules/from Python and JavaScript database creation by default, orexclude-pathsparameter oncodeql_database_create4.
sarif_list_ruleslacks per-rule result countsTool:
sarif_list_rulesCurrent state: Returns full rule metadata (description, help, tags, severity) for every rule in the SARIF file but does not include the count of results per rule. To determine which rules actually produced findings and how many, the SARIF file must be parsed separately.
Desired state: Each rule entry includes a
resultCountfield.Requirements
resultCountfield to each rule in thesarif_list_rulesresponse5. No SARIF-to-git-diff correlation tool
Tool: (missing — feature request)
Current state: There is no MCP tool for determining whether a given SARIF alert is associated with code locations changed in a set of git commits. To triage SARIF results by branch, we had to:
git diff --name-only <merge-base>..HEADto get changed filesresults[].locations[].physicalLocation.artifactLocation.uriDesired state: A tool like
sarif_diff_by_commitsthat accepts a SARIF path and a git ref range (or commit list), and returns results partitioned into{new: [...], preexisting: [...]}based on whether the finding's file (and optionally line range) overlaps with the diff. GitHub's Code Scanning API already performs this logic server-side for PR checks.Requirements