CodeQL

A query language for repositories of code

Setup

Follow the Getting Started documentation to install the precompiled binary:

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gz.

In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queries per language:

Example

$ codeql pack download codeql/python-queries

Creating a database

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

$ codeql database create <database> --language=<language-identifier>

Example

$ codeql database create my-project --language=python

Tip: For some compiled languages like java, the autobuilder may not be able to build your source code to index it. You can choose for --build-mode=none to disable building the project and just look at the source files.

Analyzing a database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

$ codeql database analyze <database> --format=<format> --output <output-file>

Example

$ codeql database analyze my-project --format=sarif-latest --output my-project.sarif

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.

PreviousYAML NextNASL (Nessus Plugins)

Last updated 2 months ago