Running CodeQL queries¶

There are several options available for running one or more CodeQL queries on a codebase. The best option depends on what your aims are.

Work through a CodeQL tutorial¶

If you’re working through a CodeQL tutorial, the CodeQL extension for Visual Studio Code allows you to run the queries in the tutorial. Unless you want to run the query on a specific code base, it’s easiest to run queries on one of the many CodeQL databases that are available on GitHub. To get started, see “Installing CodeQL for Visual Studio Code”.

Develop a new CodeQL query¶

If you’re developing a new query, the CodeQL extension for Visual Studio Code allows you to run a query and compare the results with previous runs as you refine the query. The extension also provides autocomplete suggestions, syntax highlighting, and other features that make it easier to write and debug queries. To get started, see “Installing CodeQL for Visual Studio Code”.

When you’re ready to test the query on a wide range of codebases, you can choose from the pre-defined sets of CodeQL databases or define a custom group of codebases to run the query against. For more information, see “Running CodeQL queries at scale with multi-repository variant analysis”.

Run your query against a specific codebase¶

If the codebase that you want to run your query against doesn’t have a CodeQL database, you can create one using the CodeQL CLI. For more information, see “Setting up the CodeQL CLI” and “Preparing your code for CodeQL analysis”.

Once you have created a CodeQL database, you can make the database available to the CodeQL extension in Visual Studio Code, or run the query using the CodeQL CLI. For more information, see “Analyzing your code with CodeQL queries”.

Run the standard CodeQL queries¶

The easiest way to run the standard CodeQL queries on a repository hosted on the GitHub platform is to enable code scanning with CodeQL (this requires GitHub Actions to be enabled). When you enable default setup, you can choose from a default set of security queries or an extended set of security queries. Any results are shown as code scanning alerts on the Security tab of the repository. For more information, see “Configuring default setup for code scanning”.

If you want to run the standard CodeQL queries on a repository where GitHub Actions are disabled, you can use the CodeQL CLI in your existing CI system. For more information, see “Using code scanning with your existing CI system”.