CodeQL

A query language for repositories of code

Setup

Follow the Getting Started documentation to install the precompiled binary:

Getting Started with installing the CodeQL CLI and some other useful tools

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gz.

In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queries per language:

Example
$ codeql pack download codeql/python-queries

Creating a database

Create a CodeQL database from a repository to analyze later with queries

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

$ codeql database create <database> --language=<language-identifier>
Example
$ codeql database create my-project --language=python

Tip: For some compiled languages like java, the autobuilder may not be able to build your source code to index it. You can choose for --build-mode=none to disable building the project and just look at the source files.

Analyzing a database

Use queries to analyze a CodeQL database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

$ codeql database analyze <database> --format=<format> --output <output-file>
Example
$ codeql database analyze my-project --format=sarif-latest --output my-project.sarif

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.

Download SARIF Viewer extension by Microsoft DevLabs

Last updated