CodeQL
A query language for repositories of code
Setup
Follow the Getting Started documentation to install the precompiled binary:
On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gz
.
In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queries per language:
codeql pack download codeql/python-queries
Creating a database
Create a database with the following command, inside the root folder of the project you are trying to analyze. <database>
will be the output directory, and <language-identifier>
is one of the supported languages that the project is written in.
codeql database create <database> --language=<language-identifier>
codeql database create .codeql --language=python
Analyzing a database
When you have created a database, use the analyze
command to run queries on a database. <format>
can be one of the possible multiple formats, like csv
or sarif-latest
.
codeql database analyze <database> --format=<format> --output <output-file>
codeql database analyze .codeql --format=sarif-latest --output codeql.sarif
You can view a CSV file with any spreadsheet program, but the most useful format is .sarif
. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.
Last updated