Setup

Follow the Getting Started documentation to install the precompiled binary:

Also, try downloading a precompiled pack of queries with common security issues:

$ codeql pack download codeql/python-queries

Creating a database

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

$ codeql database create <database> --language=<language-identifier>

$ codeql database create my-project --language=python

Analyzing a database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

$ codeql database analyze <database> --format=<format> --output <output-file>

$ codeql database analyze my-project --format=sarif-latest --output my-project.sarif

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.