Free, Pro, & Team
English
 
Code security
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • Pull requests
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
  • npm
    • Free, Pro, & Team
  • Free, Pro, & Team
  • Enterprise Cloud
  • Enterprise Server 3.3
  • Enterprise Server 3.2
  • Enterprise Server 3.1
  • Enterprise Server 3.0
  • GitHub AE
  • All Enterprise releases
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    •  

    About CodeQL code scanning in your CI system

    In this article

    You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to GitHub.com. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.

    Code scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

    About CodeQL code scanning in your CI system

    Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub. For information, see "About code scanning with CodeQL."

    You can run CodeQL code scanning within GitHub using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to GitHub.com.

    You add the CodeQL CLI to your third-party system, then call the tool to analyze code and upload the SARIF results to GitHub. The resulting code scanning alerts are shown alongside any alerts generated within GitHub. For more information, see "About CodeQL code scanning in your CI system."

    Note: Uploading SARIF data to display as code scanning results in GitHub is supported for organization-owned repositories with GitHub Advanced Security enabled, and public repositories on GitHub.com. For more information, see "Managing security and analysis settings for your repository."

    About the CodeQL CLI

    The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com.

    Use the CodeQL CLI to analyze:

    • Dynamic languages, for example, JavaScript and Python.
    • Compiled languages, for example, C/C++, C# and Java.
    • Codebases written in a mixture of languages.

    For more information, see "Installing CodeQL CLI in your CI system."

    Note: The CodeQL CLI is free to use on public repositories that are maintained on GitHub.com, and available to use on private repositories that are owned by customers with an Advanced Security license. For information, see "GitHub CodeQL Terms and Conditions" and "CodeQL CLI."

    Did this doc help you?

    Privacy policy

    Help us make these docs great!

    All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

    Make a contribution

    Or, learn how to contribute.