CodeQL documentation

CodeQL 2.6.2 (2021-09-21)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.6.2 runs a total of 274 security queries when configured with the Default suite (covering 120 CWE). The Extended suite enables an additional 81 queries (covering 28 more CWE). 1 security query has been added with this release.


Bug Fixes

  • A bug where codeql generate log-summary would sometimes crash with a JsonMappingException has been fixed.


  • Documentation has been added detailing how to use the “indirect build tracing” feature, which is enabled by using the --begin-tracing flag provided by codeql database init. The new documentation can be found here. This feature was temporarily described as “sandwiched tracing” in the 2.6.0 release notes.

New Features

  • The CodeQL CLI now counts the lines of code found under --source-root when codeql database init or codeql database create is called. This information can be viewed later by either the new codeql database print-baseline command or the new --print-baseline-loc argument to codeql database interpret-results.
  • qlpack.yml files now support an additional field include in which glob patterns of additional files that should be included (or excluded) when creating a given CodeQL pack can be specified.
  • QL packs created by the experimental codeql pack create command will now include some information about the build in a new buildMetadata field of their qlpack.yml file.
  • codeql database create now supports the same flags as codeql database init for automatically recognizing the languages present in checkouts of GitHub repositories:
    • --github-url accepts the URL of a custom GitHub instance (previously only was supported).
    • --github-auth-stdin allows a personal access token to be provided through standard input (previously only the GITHUB_TOKEN environment variable was supported).
  • © GitHub, Inc.
  • Terms
  • Privacy