CodeQL documentation

Exploring data flow with path queries

You can run CodeQL queries in VS Code to help you track the flow of data through a program, highlighting areas that are potential security vulnerabilities.

About path queries

A path query is a CodeQL query with the property @kind path-problem. You can find a number of these in the standard CodeQL libraries, for example, a security query that finds cross-site scripting vulnerabilities in Java projects: Cross-site scripting.

You can run the standard CodeQL path queries to identify security vulnerabilities and manually look through the results. You can also modify the existing queries to model data flow more precisely for the specific framework of your project, or write completely new path queries to find a different vulnerability.

To ensure that your path query uses the correct format and metadata, follow the instructions in “Creating path queries.” This topic also contains detailed information about how to define new sources and sinks, as well as templates and examples of how to extend the CodeQL libraries to suit your analysis.

Running path queries in VS Code locally

  1. Open a path query in the editor.
  2. Right-click in the query window and select CodeQL: Run Query on Selected Database. (Alternatively, run the command from the Command Palette.)
  3. Once the query has finished running, you can see the results in the Results view as usual (under alerts in the dropdown menu). Each query result describes the flow of information between a source and a sink.
  4. Expand the result to see the individual steps that the data follows.
  5. Click each step to jump to it in the source code and investigate the problem further.
  6. To navigate the results from your keyboard, you can bind shortcuts to the CodeQL: Navigate Up/Down/Left/Right in Result Viewer commands.

When you are ready to run a path query at scale, you can use the Variant Analysis Repositories panel to run the query against up to 1,000 repositories on For information on running analysis at scale across many CodeQL databases, see “Running CodeQL queries at scale with multi-repository variant analysis.”

  • © GitHub, Inc.
  • Terms
  • Privacy