codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

CFG for shell script in CodeQL

Open rizwanhrizvi opened this issue 1 month ago • 4 comments

Hello, we are looking for methods to extract control flow graph from shell scripts?

We tried getACommand (by calling it multiple times against the same script). However, it seems the sequence of results, which are commands in the target script, does not necessarily follow the order of those commands in the script file (or the run section of workflow file).

Just want to clarify: Are there any support of basic control-flow graph in CodeQL?

rizwanhrizvi avatar Nov 17 '25 21:11 rizwanhrizvi

Hi, thanks for reaching out. Just to be clear, which language are you trying to analyze with CodeQL?

If you're trying to run CodeQL against standalone shell scripts, then it won't work because it's not one of the officially supported languages.

But if you're trying to analyze a GitHub Action that contains an embedded shell script, then instead of ShellScript.getACommand(), which returns the commands in a script in an arbitrary order, use ShellScript.getCommand(int index), which returns the command at a specific index. That's a common idiom in QL: getAFoo() is the same as getFoo(_). You can also check out getStmt(int i), getCmd(int i), getFileReadCommand(int i), and getAssignment(int i), which are different ways of looking into a (Bash)ShellScript and can be used as building blocks for a bash CFG.

However, the existing Actions CFG module (codeql.actions.Cfg) doesn't appear to compute a CFG at the granularity of individual shell script commands.

d10c avatar Nov 18 '25 12:11 d10c

Hi thanks for your timely response.

Our goal is analyzing shell scripts (extracted from workflow files, say under the “run” sections). I guess your suggestion for getCommand(i) works for straightline code block. Just wonder if there are any CFG support for conditional statements, like if else clause or even loops in shell scripts.

rizwanhrizvi avatar Nov 22 '25 15:11 rizwanhrizvi

👋 @rizwanhrizvi there is no such support for the moment. Having support for that in practice corresponds to implementing full CodeQL support for the sh/bash language as a whole. This is currently not on our roadmap, but we may consider it in the future.

redsun82 avatar Nov 24 '25 10:11 redsun82

This issue is stale because it has been open 14 days with no activity. Comment or remove the Stale label in order to avoid having this issue closed in 7 days.

github-actions[bot] avatar Dec 09 '25 02:12 github-actions[bot]

This issue was closed because it has been inactive for 7 days.

github-actions[bot] avatar Dec 16 '25 02:12 github-actions[bot]