codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

7,496

1,490

7,496

1,139

View on GitHub

Top Related Projects

ApplicationInspector

4,202

A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.

semgrep

10,341

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

infer

14,889

A static analyzer for Java, C, C++, and Objective-C

osv-scanner

6,107

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

Quick Overview

CodeQL is an advanced code analysis engine developed by GitHub. It allows developers to query codebases as if they were data, enabling the discovery of vulnerabilities and bugs in software. CodeQL supports multiple programming languages and can be integrated into various development workflows.

Pros

Powerful and flexible code analysis capabilities
Supports multiple programming languages (e.g., C/C++, C#, Go, Java, JavaScript/TypeScript, Python, Ruby)
Integrates well with GitHub Actions and other CI/CD pipelines
Extensive library of pre-built queries for common security issues

Cons

Steep learning curve for creating custom queries
Resource-intensive for large codebases
Limited support for some less common programming languages
Requires significant setup and configuration for optimal use

Code Examples

Creating a simple CodeQL query to find hardcoded passwords:

import javascript

from StringLiteral password
where password.getValue().regexpMatch("(?i).*password.*")
select password, "Possible hardcoded password"

Identifying SQL injection vulnerabilities in Java:

import java
import semmle.code.java.security.SqlInjectionQuery

from SqlInjectionSink sink
select sink, "Potential SQL injection vulnerability"

Finding unused variables in Python:

import python

from Variable v
where not exists(NameNode n | n.uses(v))
select v, "Unused variable"

Getting Started

To start using CodeQL:

Install the CodeQL CLI from the GitHub releases page.

Create a CodeQL database for your project:

codeql database create <database-name> --language=<language>

Run a query against the database:

codeql query run <path-to-query> --database=<database-name>

Analyze the results and integrate CodeQL into your CI/CD pipeline for continuous code analysis.

For more detailed instructions, refer to the official CodeQL documentation on GitHub.

Competitor Comparisons

ApplicationInspector

4,202

Pros of ApplicationInspector

Lightweight and easy to use, with a focus on rapid analysis
Provides a comprehensive HTML report with visualizations
Supports multiple programming languages out of the box

Cons of ApplicationInspector

Less extensive query language compared to CodeQL
Limited to pattern-based analysis, potentially missing complex vulnerabilities
Smaller community and ecosystem of pre-built queries

Code Comparison

ApplicationInspector uses simple JSON-based rules:

{
  "name": "Hardcoded Password",
  "id": "AI000100",
  "description": "Detects hardcoded passwords",
  "tags": ["Security", "Credential"],
  "severity": "Critical",
  "patterns": [
    {
      "pattern": "password\\s*=\\s*[\"']\\w+[\"']",
      "type": "regex"
    }
  ]
}

CodeQL uses a custom query language:

import csharp

from Variable var, StringLiteral literal
where var.getName().toLowerCase().matches("%password%")
  and literal = var.getInitializer()
select var, "Possible hardcoded password."

Both tools aim to detect security issues, but CodeQL offers more sophisticated analysis capabilities at the cost of a steeper learning curve.

semgrep

10,341

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Pros of Semgrep

Easier to learn and use, with a simpler syntax for writing rules
Faster analysis, especially for large codebases
More language support, including non-traditional languages like Terraform and Dockerfile

Cons of Semgrep

Less powerful and flexible than CodeQL's query language
Limited support for inter-procedural and data flow analysis
Smaller ecosystem and community compared to CodeQL

Code Comparison

Semgrep rule example:

rules:
  - id: unsafe-deserialization
    pattern: pickle.loads($X)
    message: Unsafe deserialization detected
    severity: WARNING
    languages: [python]

CodeQL query example:

import python

from Call call
where call.getFunc().getName() = "loads"
  and call.getFunc().getScope().(ImportExpr).getName() = "pickle"
select call, "Unsafe deserialization detected"

Both examples detect unsafe deserialization in Python, but CodeQL's query language offers more flexibility and power for complex analyses. Semgrep's rule is more concise and easier to write for simple patterns.

infer

14,889

A static analyzer for Java, C, C++, and Objective-C

Pros of Infer

Supports multiple languages including Java, C/C++, and Objective-C
Focuses on specific bug classes like null pointer dereferences and memory leaks
Integrates well with build systems and CI/CD pipelines

Cons of Infer

Limited query customization compared to CodeQL's extensive query language
Smaller community and ecosystem than CodeQL
Less comprehensive coverage of security vulnerabilities

Code Comparison

Infer example (Java):

@Nullable
public String getName() {
    return this.name;
}

public void printName() {
    System.out.println(getName().toLowerCase()); // Potential null pointer dereference
}

CodeQL example (Java):

import java

from MethodAccess call, Method method
where
  call.getMethod() = method and
  method.hasName("getName") and
  method.getReturnType() instanceof TypeString and
  not exists(ConditionialExpr cond | cond.getThen() = call or cond.getElse() = call)
select call, "Potential null pointer dereference when calling getName()"

Both tools can detect potential null pointer dereferences, but CodeQL offers more flexibility in defining custom queries for specific vulnerability patterns.

osv-scanner

6,107

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

Pros of osv-scanner

Lightweight and focused specifically on vulnerability scanning
Faster execution for quick security checks
Supports multiple package ecosystems (npm, PyPI, Go, etc.)

Cons of osv-scanner

Limited to known vulnerabilities in the OSV database
Lacks advanced code analysis capabilities
Does not support custom query development

Code Comparison

osv-scanner:

osv-scanner /path/to/project

CodeQL:

codeql database create mydb --language=javascript
codeql database analyze mydb javascript-security-and-quality.qls

Summary

osv-scanner is a lightweight tool focused on quickly identifying known vulnerabilities in project dependencies across multiple ecosystems. It's easy to use and provides fast results, making it suitable for rapid security checks.

CodeQL, on the other hand, is a more comprehensive static analysis tool that allows for deep code analysis and custom query development. It offers advanced capabilities for identifying complex security issues and code quality problems but requires more setup and execution time.

While osv-scanner is limited to known vulnerabilities, CodeQL can potentially uncover novel security issues through its advanced analysis capabilities. However, this comes at the cost of increased complexity and longer execution times.

Choose osv-scanner for quick vulnerability checks across multiple package ecosystems, and opt for CodeQL when in-depth code analysis and custom query development are required.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

CodeQL

This open source repository contains the standard CodeQL libraries and queries that power GitHub Advanced Security and the other application security products that GitHub makes available to its customers worldwide.

How do I learn CodeQL and run queries?

There is extensive documentation about the CodeQL language, writing CodeQL using the CodeQL extension for Visual Studio Code and using the CodeQL CLI.

Contributing

We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our contributing guidelines. You can also consult our style guides to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

For information on contributing to CodeQL documentation, see the "contributing guide" for docs.

License

The code in this repository is licensed under the MIT License by GitHub.

The CodeQL CLI (including the CodeQL engine) is hosted in a different repository and is licensed separately. If you'd like to use the CodeQL CLI to analyze closed-source code, you will need a separate commercial license; please contact us for further help.

Visual Studio Code integration

If you use Visual Studio Code to work in this repository, there are a few integration features to make development easier.

CodeQL for Visual Studio Code

You can install the CodeQL for Visual Studio Code extension to get syntax highlighting, IntelliSense, and code navigation for the QL language, as well as unit test support for testing CodeQL libraries and queries.

Tasks

The .vscode/tasks.json file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the Terminal | Run Task... menu option, and then select the desired task from the dropdown. You can also invoke the Tasks: Run Task command from the command palette.

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot