CodeQL

CodeQL is a static analysis engine built by GitHub that compiles source code into a relational database and lets analysts write queries against it using a declarative language called QL. The approach differs from traditional pattern-matching linters: instead of matching syntax strings, QL queries express complex semantic properties of code, such as whether untrusted user input can reach a database query without sanitization.

This makes CodeQL particularly effective for finding vulnerability classes that require understanding data flow across a codebase, including injection flaws, path traversal, and insecure deserialization. It supports C/C++, Java, JavaScript, TypeScript, Python, Go, and Ruby. GitHub's own Security Lab uses CodeQL to audit open-source repositories at scale.

QL is a declarative, logic-based language designed specifically for code analysis. It resembles SQL in structure but operates on a database of code facts (type information, call graphs, data flow paths, control flow) rather than rows and columns. Queries are composable: you can define predicates expressing intermediate properties and chain them into more complex analyses.

GitHub ships a standard library of pre-built queries covering the OWASP Top 10 and many additional CWE patterns, which run as-is against most codebases. Teams can extend them with project-specific queries to detect API misuse, business logic errors, or security properties unique to their application, building a custom query suite over time.

CodeQL integrates natively with GitHub Actions via the github/codeql-action workflow. A standard setup runs a full database build and query scan on every pull request, posting findings as code review annotations directly in the GitHub UI. This puts security findings in front of developers at the point of review, before merge.

For organisations not on GitHub, CodeQL's CLI integrates into Jenkins, CircleCI, GitLab CI, and other pipeline tools by running database build and analysis steps as shell commands. Teams building a mature software engineering practice commonly add CodeQL as part of a broader DevSecOps toolchain alongside dependency scanning and container image analysis. Pairing it with AI-assisted code review agents can further reduce manual triage burden on security teams.

Shift-left vulnerability detection: Running CodeQL on every pull request surfaces security issues during code review rather than in penetration testing or production incidents, where remediation cost is significantly higher.

Open source security audits: Security researchers and maintainers use CodeQL to audit open-source dependencies and identify vulnerabilities across large repositories systematically.

Bug bounty research: Security researchers use CodeQL to search for zero-day vulnerabilities in high-value targets by writing queries that express known vulnerability patterns against newly acquired codebases.

Compliance-driven code review: Organisations in regulated industries, including FinTech and banking and financial services, use CodeQL to generate defensible evidence of security review as part of audit and certification processes.

CodeQL is MIT-licensed, allowing free use, modification, and redistribution in commercial projects. The standard query libraries and CodeQL CLI are free for open-source analysis and within GitHub's code scanning feature. Commercial use on private repositories is available through GitHub Advanced Security.

GitHub actively maintains the engine, updates query packs with new vulnerability patterns, and publishes guidance through the GitHub Security Lab. Organisations adopting CodeQL can expect continued investment as it is GitHub's primary static analysis platform.