CodeQL

CodeQL treats code as data: you query a codebase with the QL language to find security vulnerabilities and bugs, hunting for patterns of a known flaw across an entire project at once. It is the analysis engine behind GitHub code scanning and GitHub Advanced Security.

This repository holds the standard QL libraries and the curated set of security queries, along with extensive language support. Authors typically write and run queries through the CodeQL CLI or the CodeQL extension for Visual Studio Code, which adds syntax highlighting, IntelliSense, code navigation, and query unit testing.

The libraries and queries here are open source under the MIT license from GitHub. The CodeQL CLI and engine ship from a separate repository under their own license and are free for analyzing open source and for research; analyzing closed-source code requires a commercial license.