Skip to content
GitHub CodeQL

GitHub CodeQL

Category: SAST
License: Free for open-source, Commercial for private repos
Visit GitHub CodeQL
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated May 19, 2026
4 min read
Key Takeaways
  • CodeQL treats code as queryable data, building semantic databases from 12 languages including Java, Python, JavaScript, Go, C/C++, Ruby, Swift, Kotlin, and Rust.
  • Free for open-source repositories on GitHub, with security alerts surfacing directly in pull requests via GitHub Advanced Security.
  • Custom queries use a declarative QL language to find project-specific vulnerability patterns beyond the built-in query packs.
  • Native GitHub integration means CodeQL runs automatically in Actions workflows with zero external tool configuration.
Latest Updates
  • CodeQL 2.25.4 β€” CodeQL 2.25.4 replaces the C# control flow graph with a one-to-one AST mapping (breaking change for custom queries) and adds JavaScript/TypeScript support for @vercel/node serverless handlers so reflected XSS, SSRF, SQL injection and command injection queries detect Vercel… source
  • CodeQL 2.25.3 β€” CodeQL 2.25.3 ships analysis updates as part of the regular biweekly release cadence. source
  • CodeQL 2.25.0 β€” CodeQL 2.25.0 rewrites the Java/Kotlin CFG (breaking change for custom queries), upgrades Jackson 2.18.6 to address GHSA-72hv-8253-57qq DoS, and raises the Default suite to 491 security queries across 166 CWE. source

GitHub CodeQL is a semantic code analysis engine that treats code as queryable data. It is a SAST tool that builds a database representation of your codebase, enabling queries that track data flow across functions, files, and modules.

Natively integrated into GitHub Advanced Security, CodeQL powers code scanning for millions of repositories.

According to GitHub’s Octoverse reports, code scanning has identified and helped fix millions of vulnerabilities across public repositories since CodeQL’s launch. It is free for public repositories on GitHub.

What is CodeQL?

CodeQL works differently from pattern-matching SAST tools.

Rather than searching for text patterns, CodeQL compiles source code into a relational database that captures the semantic structure: variables, functions, control flow, data flow, and type information.

Security researchers write queries in the CodeQL query language to find vulnerabilities by describing the characteristics of insecure code. The query language resembles SQL with object-oriented extensions.

For example, CodeQL can trace user input from an HTTP request through multiple transformation functions to a SQL query, identifying injection vulnerabilities that pattern-based tools miss.

12 Languages
Supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and Rust. Each language has a dedicated extractor that builds the database.
Semantic Queries
Queries describe vulnerability characteristics rather than matching text patterns. The database captures ASTs, control flow graphs, data flow graphs, type hierarchies, and call graphs.
GitHub Native
Runs automatically through GitHub Actions on push and pull request events. Results appear as inline annotations and security alerts in pull requests.
GitHub security campaigns dashboard showing alert remediation progress across repositories

What are GitHub CodeQL’s key features?

Data flow and taint tracking

The taint tracking engine follows potentially dangerous data through your codebase.

Starting from sources (user input, file reads, network data) and ending at sinks (database queries, command execution, file writes), CodeQL identifies paths where untrusted data reaches sensitive operations without sanitization.

GitHub code scanning alert showing a SQL injection vulnerability in Go: database query built from user-controlled sources, with CodeQL rule ID go/sql-injection and Show paths taint tracking

Custom query development

Security teams can write custom CodeQL queries for organization-specific requirements:

  • Detecting use of banned functions or deprecated APIs
  • Enforcing authentication checks on sensitive endpoints
  • Finding missing input validation patterns
  • Identifying violations of internal security standards

GitHub integration

GitHub CodeQL detecting a high-severity cross-site scripting vulnerability with Copilot Autofix suggestion

On GitHub repositories, CodeQL runs automatically through GitHub Actions. Results appear directly in pull requests as security alerts.

The integration includes automatic analysis on push and PR events, inline annotations showing vulnerability locations, suggested fixes, and security overview dashboards for organizations.

GitHub code scanning autofix showing AI-generated remediation for a security vulnerability

Note: CodeQL ships with two security query suites. The security-and-quality suite covers common vulnerabilities and code quality issues. The security-extended suite adds lower-confidence queries that catch more issues with a higher false-positive rate β€” useful for thorough audits, noisy for day-to-day CI.

How do I get started with GitHub CodeQL?

1
Enable code scanning β€” In your GitHub repository, go to Settings > Code security and analysis > Code scanning, or add a .github/workflows/codeql.yml workflow file.
2
Configure languages β€” Specify which languages to analyze in the workflow matrix. CodeQL auto-detects languages but you can override this.
3
Review findings β€” Security alerts appear in the Security tab and as inline annotations on pull requests. Each finding includes the vulnerability type, data flow path, and remediation guidance.
4
Write custom queries β€” Install the CodeQL CLI locally, create a database with codeql database create, and develop queries using the VS Code CodeQL extension.

CodeQL pricing

CodeQL has a split licensing model. The CodeQL CLI and standard query packs are free for open-source analysis on public repositories and for academic research, under the CodeQL Terms and Conditions . Public-repo code scanning on GitHub.com is also free.

For private repositories on GitHub, CodeQL ships as part of GitHub Advanced Security (GHAS), which is licensed per active committer and sold through GitHub Enterprise plans. GHAS bundles code scanning, secret scanning, and dependency review. There is no public per-developer rate card on this page; check github.com/pricing for current GHAS pricing and seat-based commercial terms.

When to use CodeQL

CodeQL is the natural choice for teams already on GitHub that want deep semantic analysis without additional vendor relationships.

The data flow analysis catches injection vulnerabilities, authentication bypasses, and security logic flaws that pattern-based tools miss.

The query language has a learning curve, though the standard query packs cover most common vulnerability types.

CodeQL alternatives

For teams comparing query-based SAST options, the closest substitutes for CodeQL are:

  • Semgrep β€” rule-driven SAST with a public ruleset and YAML-based rule syntax; preferred when teams want a lower learning curve than CodeQL’s QL language and need cross-language consistency.
  • Snyk Code β€” developer-first SAST built on a symbolic-AI engine; chosen when the rest of Snyk’s product family (SCA, container, IaC) is already in use.
  • Checkmarx One β€” enterprise SAST with deep policy and governance features; a fit when compliance reporting and SLAs matter more than raw query power.
  • Veracode Static Analysis β€” binary-analysis SAST with strong enterprise compliance posture; usually picked when air-gapped scans of compiled artifacts are mandatory.
  • SonarQube β€” multi-language quality and security platform; chosen when quality gates and code review integration matter more than security depth.

For a feature-by-feature view, the Semgrep vs CodeQL guide and the SAST tools hub cover the full landscape.

Note: Replaces LGTM.com which was deprecated and merged into CodeQL
Visit GitHub CodeQL

Frequently Asked Questions

What is GitHub CodeQL and how does it find vulnerabilities?
CodeQL is a semantic code analysis engine built by GitHub that treats your source code as a queryable database. It compiles code into a relational database capturing variables, functions, control flow, data flow, and type information. You write or use pre-built queries to search for vulnerability patterns.
Is GitHub CodeQL free?
CodeQL is free for public repositories on GitHub. For private repositories, it requires a GitHub Advanced Security (GHAS) license, which is available on GitHub Enterprise plans.
What languages does CodeQL support?
CodeQL supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and Rust. The most common setup is through GitHub Actions using the official CodeQL workflow.
How does CodeQL compare to Semgrep?
CodeQL’s database-backed approach allows for deeper dataflow analysis than Semgrep’s pattern-matching model, but Semgrep is faster to run and easier to write custom rules for. CodeQL is focused on finding security vulnerabilities, while Semgrep also covers code quality patterns.
How I review tools Suggest an edit

Other SAST Tools

Veracode
Veracode

Binary Analysis AppSec Platform

Corgea
Corgea

AI-native SAST with automatic vulnerability detection and code fix generation

Parasoft
Parasoft

Compliance-first SAST for automotive, aerospace & medical device software

Infer
Infer

Meta's Inter-Procedural Static Analyzer

PHPStan
PHPStan

PHP Static Analysis with Progressive Strictness

Psalm
Psalm

PHP Type Safety + Security Taint Analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

Mend
Mend

Renovate-powered SCA + Agentic SAST in one platform

cdxgen
cdxgen

CycloneDX SBOM generator for 20+ languages

See all SCA tools

Learn More

Best SAST Tools for C# in 2026 Best SAST Tools for Go in 2026 Best SAST Tools for Java in 2026 Best SAST Tools for PHP in 2026 Best SAST Tools for JavaScript and TypeScript in 2026 Best SAST Tools for Python in 2026

Explore all SAST guides and tools