search
BlogContact

CodeQL

A query language for repositories of code

hashtag
Setup

Follow the Getting Started documentation to install the precompiled binary:

LogoSetting up the CodeQL CLI - GitHub DocsGitHub Docschevron-right
Getting Started with installing the CodeQL CLI and some other useful tools

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gzarrow-up-right.

In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queriesarrow-up-right per language:

hashtag
Creating a database

LogoPreparing your code for CodeQL analysis - GitHub DocsGitHub Docschevron-right
Create a CodeQL database from a repository to analyze later with queries

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in.

circle-info

Tip: For some compiled languages like java, the autobuilder may not be able to build your source code to index it. You can choose for --build-mode=none to disable building the project and just look at the source files.

hashtag
Analyzing a database

LogoAnalyzing your code with CodeQL queries - GitHub DocsGitHub Docschevron-right
Use queries to analyze a CodeQL database

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

You can view a CSV file with any spreadsheet program, but the most useful format is .sarifarrow-up-right. To view the findings and locations in the code you can use the Sarif Viewer VSCode extensionarrow-up-right.

https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewermarketplace.visualstudio.comchevron-right
Download SARIF Viewer extension by Microsoft DevLabs
PreviousYAMLNextNASL (Nessus Plugins)

Last updated