BlogContact

CodeQL

A query language for repositories of code

Setup

Follow the Getting Started documentation to install the precompiled binary:

LogoSetting up the CodeQL CLI - GitHub DocsGitHub Docs
Getting Started with installing the CodeQL CLI and some other useful tools

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gz.

In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queries per language:

Creating a database

LogoPreparing your code for CodeQL analysis - GitHub DocsGitHub Docs
Create a CodeQL database from a repository to analyze later with queries

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

Tip: For some compiled languages like java, the autobuilder may not be able to build your source code to index it. You can choose for --build-mode=none to disable building the project and just look at the source files.

Analyzing a database

LogoAnalyzing your code with CodeQL queries - GitHub DocsGitHub Docs
Use queries to analyze a CodeQL database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.

https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewermarketplace.visualstudio.com
Download SARIF Viewer extension by Microsoft DevLabs
PreviousYAMLNextNASL (Nessus Plugins)

Last updated