CodeQL

A query language for repositories of code

Setup

Follow the Getting Started documentation to install the precompiled binary:

Also, try downloading a precompiled pack of queries with common security issues:

Example

$ codeql pack download codeql/python-queries

Creating a database

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

$ codeql database create <database> --language=<language-identifier>

Example

$ codeql database create my-project --language=python

Analyzing a database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

$ codeql database analyze <database> --format=<format> --output <output-file>

Example

$ codeql database analyze my-project --format=sarif-latest --output my-project.sarif

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.

PreviousYAML NextNASL (Nessus Plugins)

Last updated 1 year ago