Skip to content

Latest commit

 

History

History
69 lines (49 loc) · 2.98 KB

codeql.md

File metadata and controls

69 lines (49 loc) · 2.98 KB
description
A query language for repositories of code

CodeQL

Setup

Follow the Getting Started documentation to install the precompiled binary:

{% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli" %} Getting Started with installing the CodeQL CLI and some other useful tools {% endembed %}

On the releases page, you should download the "CodeQL Bundle" from any of the assets, likely codeql-bundle-linux64.tar.gz.

In case you need more queries for different languages not already included in the bundle, try downloading a precompiled pack of queries per language:

{% code title="Example" %}

codeql pack download codeql/python-queries

{% endcode %}

Creating a database

{% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases" %} Create a CodeQL database from a repository to analyze later with queries {% endembed %}

Create a database with the following command, inside the root folder of the project you are trying to analyze. <database> will be the output directory, and <language-identifier> is one of the supported languages that the project is written in. 

codeql database create <database> --language=<language-identifier>

{% code title="Example" %}

codeql database create .codeql --language=python

{% endcode %}

{% hint style="info" %} Tip: For some compiled languages like java, the autobuilder may not be able to build your source code to index it. You can choose for --build-mode=none to disable building the project and just look at the source files. {% endhint %}

Analyzing a database

{% embed url="https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/analyzing-databases-with-the-codeql-cli" %} Use queries to analyze a CodeQL database {% endembed %}

When you have created a database, use the analyze command to run queries on a database. <format> can be one of the possible multiple formats, like csv or sarif-latest.

codeql database analyze <database> --format=<format> --output <output-file>

{% code title="Example" %}

codeql database analyze .codeql --format=sarif-latest --output codeql.sarif

{% endcode %}

You can view a CSV file with any spreadsheet program, but the most useful format is .sarif. To view the findings and locations in the code you can use the Sarif Viewer VSCode extension.

{% embed url="https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer" %} Download SARIF Viewer extension by Microsoft DevLabs {% endembed %}