• Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis In 2023 GitHub introduced CodeQL multi-repository variant analysis (MRVA). • This functionality lets you run queries across thousands of projects using pre-built databases and drastically reduces the time needed to find security bugs at scale. • There’s just one problem: it’s largely built on VS Code and I’m a Vim user and a terminal junkie. • That’s why I built mrva , a composable, terminal-first alternative that runs entirely on your machine and outputs results wherever stdout leads you. • In this post I will cover installing and using mrva , compare its feature set to GitHub’s MRVA functionality, and discuss a few interesting implementation details I discovered while working on it. • Here is a quick example of what you’ll see at the end of your mrva journey: Installing and running mrva First, install mrva from PyPI: $ python -m pip install mrva Or, use your favorite Python package installer like pipx or uv .
Article Summaries:
- Summary
GitHub’s 2023 CodeQL multi‑repo variant analysis (MRVA) lets users run queries across thousands of projects, but its tooling is largely VS Code‑centric. To address this, the author released mrva, a terminal‑first, composable alternative that runs entirely on a local machine. Installed via PyPI, mrva downloads pre‑built CodeQL databases, executes queries, and pretty‑prints results to stdout, supporting CSV and SARIF output. It offers the same core workflow as GitHub’s MRVA but eliminates cloud‑first dependencies, allowing users-especially Vim or terminal enthusiasts-to perform large‑scale security analysis locally with minimal overhead.
Sources: