Trail of Bits Blog
Follow
Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis
The author created `mrva`, a terminal-first alternative to GitHub's CodeQL multi-repository variant analysis (MRVA), catering to Vim users by running locally. `mrva` allows users to download pre-built CodeQL databases, analyze them with queries, and view results in the terminal. Installation is straightforward using Python's package manager, involving download, analysis, and printing steps. `mrva` contrasts with both GitHub's VS Code extension and CLI, prioritizing local execution and customization. Key features include local analysis, easier parameter modification, and local finding viewing. Useful implementation details include the GitHub CodeQL database API and flags like `--sarif-add-file-contents`. The text differentiates between alert and path queries, and highlights graph queries, for advanced analysis. The author values `mrva` for its flexibility, enabling local, scheduled, and headless analyses. The goal is to find security bugs at scale with all the benefits of the terminal. The author looks forward to future CodeQL explorations.
