Skip to content
Home SAST Tools GitHub CodeQL
GitHub CodeQL

GitHub CodeQL

Category: SAST
License: Free for open-source, Commercial for private repos
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 6, 2026
3 min read
Key Takeaways
  • CodeQL treats code as queryable data, building semantic databases from 12 languages including Java, Python, JavaScript, Go, C/C++, Ruby, Swift, Kotlin, and Rust.
  • Free for open-source repositories on GitHub, with security alerts surfacing directly in pull requests via GitHub Advanced Security.
  • Custom queries use a declarative QL language to find project-specific vulnerability patterns beyond the built-in query packs.
  • Native GitHub integration means CodeQL runs automatically in Actions workflows with zero external tool configuration.

GitHub CodeQL is a semantic code analysis engine that treats code as queryable data. It is a SAST tool that builds a database representation of your codebase, enabling queries that track data flow across functions, files, and modules.

Natively integrated into GitHub Advanced Security, CodeQL powers code scanning for millions of repositories. According to GitHub’s Octoverse reports, code scanning has identified and helped fix millions of vulnerabilities across public repositories since CodeQL’s launch. It is free for public repositories on GitHub.

What is CodeQL?

CodeQL works differently from pattern-matching SAST tools. Rather than searching for text patterns, CodeQL compiles source code into a relational database that captures the semantic structure: variables, functions, control flow, data flow, and type information.

Security researchers write queries in the CodeQL query language to find vulnerabilities by describing the characteristics of insecure code. The query language resembles SQL with object-oriented extensions. For example, CodeQL can trace user input from an HTTP request through multiple transformation functions to a SQL query, identifying injection vulnerabilities that pattern-based tools miss.

12 Languages
Supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and Rust. Each language has a dedicated extractor that builds the database.
Semantic Queries
Queries describe vulnerability characteristics rather than matching text patterns. The database captures ASTs, control flow graphs, data flow graphs, type hierarchies, and call graphs.
GitHub Native
Runs automatically through GitHub Actions on push and pull request events. Results appear as inline annotations and security alerts in pull requests.

GitHub security campaigns dashboard showing alert remediation progress across repositories

Key features

Data flow and taint tracking

The taint tracking engine follows potentially dangerous data through your codebase. Starting from sources (user input, file reads, network data) and ending at sinks (database queries, command execution, file writes), CodeQL identifies paths where untrusted data reaches sensitive operations without sanitization.

Custom query development

Security teams can write custom CodeQL queries for organization-specific requirements:

  • Detecting use of banned functions or deprecated APIs
  • Enforcing authentication checks on sensitive endpoints
  • Finding missing input validation patterns
  • Identifying violations of internal security standards

GitHub integration

GitHub CodeQL detecting a high-severity cross-site scripting vulnerability with Copilot Autofix suggestion

On GitHub repositories, CodeQL runs automatically through GitHub Actions. Results appear directly in pull requests as security alerts. The integration includes automatic analysis on push and PR events, inline annotations showing vulnerability locations, suggested fixes, and security overview dashboards for organizations.

GitHub code scanning autofix showing AI-generated remediation for a security vulnerability

Query packs
CodeQL ships with standard query packs covering common vulnerability types. The security-and-quality suite covers both security vulnerabilities and code quality issues. The security-extended suite adds additional queries. Custom query packs can be published and shared across organizations.

Getting started

1
Enable code scanning — In your GitHub repository, go to Settings > Code security and analysis > Code scanning, or add a .github/workflows/codeql.yml workflow file.
2
Configure languages — Specify which languages to analyze in the workflow matrix. CodeQL auto-detects languages but you can override this.
3
Review findings — Security alerts appear in the Security tab and as inline annotations on pull requests. Each finding includes the vulnerability type, data flow path, and remediation guidance.
4
Write custom queries — Install the CodeQL CLI locally, create a database with codeql database create, and develop queries using the VS Code CodeQL extension.

When to use CodeQL

CodeQL is the natural choice for teams already on GitHub that want deep semantic analysis without additional vendor relationships. The data flow analysis catches injection vulnerabilities, authentication bypasses, and security logic flaws that pattern-based tools miss.

The query language has a learning curve, though the standard query packs cover most common vulnerability types. Teams not on GitHub can still use CodeQL through the CLI, but lose the native pull request integration.

For faster custom rule development or broader language support, consider Semgrep. For enterprise features and commercial support, Checkmarx or Veracode may be more appropriate. Our Semgrep vs CodeQL guide compares these two popular open-source options in depth.

Best for
GitHub-hosted teams that want deep semantic security analysis with native pull request integration, especially for open-source projects where CodeQL is free.

Note: Replaces LGTM.com which was deprecated and merged into CodeQL

Frequently Asked Questions

What is GitHub CodeQL and how does it find vulnerabilities?
CodeQL is a semantic code analysis engine built by GitHub that treats your source code as a queryable database. It compiles code into a relational database capturing variables, functions, control flow, data flow, and type information. You write or use pre-built queries to search for vulnerability patterns.
Is GitHub CodeQL free?
CodeQL is free for public repositories on GitHub. For private repositories, it requires a GitHub Advanced Security (GHAS) license, which is available on GitHub Enterprise plans.
What languages does CodeQL support?
CodeQL supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and Rust. The most common setup is through GitHub Actions using the official CodeQL workflow.
How does CodeQL compare to Semgrep?
CodeQL’s database-backed approach allows for deeper dataflow analysis than Semgrep’s pattern-matching model, but Semgrep is faster to run and easier to write custom rules for. CodeQL is focused on finding security vulnerabilities, while Semgrep also covers code quality patterns.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub

Compare GitHub CodeQL

Semgrep vs CodeQL