CodeQL documentation

CodeQL 2.5.6 (2021-06-22)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.5.6 runs a total of 266 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 57 queries (covering 28 more CWE). 3 security queries have been added with this release.


New Features

  • codeql database create (and the plumbing commands it comprises) now supports creating databases for a source tree with several languages while tracing a single build. This is enabled by a new --db-cluster option. Once created, the multiple databases must be analyzed one by one.

  • codeql database create and codeql database init now accept an --overwrite argument which will lead existing CodeQL databases to be overwritten.

  • codeql database analyze now supports “diagnostic” queries (tagged @kind diagnostic), which are intended to report information about the analysis process itself rather than problems with the analyzed code. The results of these queries will be summarized in a table printed to the terminal when codeql database analyze finishes.

    They are also included in the analysis results in SARIF output formats as notification objects so they can be displayed by subsequent tooling such as the Code Scanning user interface.

    • For SARIF v2.1.0, a reporting descriptor object for each diagnostic query is output to output to runs[].tool.driver.notifications, or runs[].tool.extensions[].notifications if running with --sarif-group-rules-by-pack. A rule object for each diagnostic query is output to runs[].resources[].rules for SARIF v2, or to runs[].rules for SARIF v1.
    • Results of diagnostic queries are exported to the runs[].invocations[].toolExecutionNotifications property in SARIF v2.1.0, the runs[].invocations[].toolNotifications property in SARIF v2, and the runs[].toolNotifications property in SARIF v1.

    SARIF v2.1.0 output will now also contain version information for query packs in runs[].tool.extensions[].semanticVersion, if the Git commit the queries come from is known.

  • codeql github upload-results has a --checkout-path option which will attempt to automatically configure upload target parameters. When this is given, the --commit option will be taken from the HEAD of the checkout Git repository, and if there is precisely one remote configured in the local repository, the --repository and --github-url options will also be automatically configured.

  • The CodeQL C++ extractor includes beta support for C++20. This is only available when building codebases with GCC on Linux. C++20 modules are not supported.

  • © GitHub, Inc.
  • Terms
  • Privacy