How change SensitiveDataHeuristics.qll to find my own secrets?

[almaz045]

I want to change locally CleartextLoggingQuery.qll to find my own secrets I am new in CodeQL and I want to change locally CleartextLoggingQuery.qll to find my own secrets that could be logging. I noticed that this query links to SensitiveDataHeuristics.qll . I use codeql-bundle. Tell me, please, what options do I have to edit queries? In this case, if I'm right, do I need to edit SensitiveDataHeuristics.ql and somehow rebuild the rule? Or should I use codeql-cli and somehow create my own query packages? Help solve the problem, please. Thanks

[mbg]

Hi @almaz045! Welcome to CodeQL!

You have a few options for customising queries.

1. You could start by cloning the vscode-codeql-starter repository and modifying the query sources there. Rather than modifying the internal SensitiveDataHeuristics.qll file, we actually have a specific extension point where you can add your own definitions. There you could add your own classes which extend the Source class from CleartextLoggingCustomizations.qll.
2. For a more involved solution that you could use as part of a GitHub Actions workflow that scans your project, you could look into using https://github.com/advanced-security/codeql-bundle-action.

Let me know if that helps and if you have any follow-up questions!