# CodeQL

## Setup

Follow the Getting Started documentation to install the precompiled binary:

{% embed url="<https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli>" %}
Getting Started with installing the CodeQL CLI and some other useful tools
{% endembed %}

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely [`codeql-bundle-linux64.tar.gz`](https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz).&#x20;

In case you need more queries for different languages not already included in the bundle, try downloading a [precompiled pack of queries](https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli#testing-the-codeql-cli-configuration) per language:

{% code title="Example" %}

```bash
codeql pack download codeql/python-queries
```

{% endcode %}

## Creating a database

{% embed url="<https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases>" %}
Create a CodeQL database from a repository to analyze later with queries
{% endembed %}

Create a database with the following command, inside the root folder of the project you are trying to analyze. `<database>` will be the output directory, and `<language-identifier>` is one of the supported languages that the project is written in.&#x20;

```bash
codeql database create <database> --language=<language-identifier>
```

{% code title="Example" %}

```bash
codeql database create .codeql --language=python
```

{% endcode %}

{% hint style="info" %}
**Tip**: For some compiled languages like `java`, the autobuilder may not be able to build your source code to index it. You can choose for `--build-mode=none` to disable building the project and just look at the source files.
{% endhint %}

## Analyzing a database

{% embed url="<https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/analyzing-databases-with-the-codeql-cli>" %}
Use queries to analyze a CodeQL database
{% endembed %}

When you have created a database, use the `analyze` command to run queries on a database. `<format>` can be one of the possible multiple formats, like `csv` or `sarif-latest`.

```bash
codeql database analyze <database> --format=<format> --output <output-file>
```

{% code title="Example" %}

```bash
codeql database analyze .codeql --format=sarif-latest --output codeql.sarif
```

{% endcode %}

You can view a CSV file with any spreadsheet program, but the most useful format is [`.sarif`](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/sarif-output). To view the findings and locations in the code you can use the [Sarif Viewer VSCode extension](https://github.com/microsoft/sarif-vscode-extension).

{% embed url="<https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer>" %}
Download **SARIF Viewer** extension by Microsoft DevLabs
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.jorianwoltjer.com/languages/codeql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.