Publicamos atualizações frequentes em nossa documentação, e a tradução desta página ainda pode estar em andamento. Para obter as informações mais recentes, acesse a documentação em inglês. Se houver problemas com a tradução desta página, entre em contato conosco.

Português do Brasil

Versão do artigo: GitHub.com

See all Enterprise releases

Installing CodeQL CLI in your CI system

You can install the CodeQL CLI and use it to perform CodeQL Varredura de código in a third-party continuous integration system.

Varredura de código is available for all public repositories, and for private repositories owned by organizations where Segurança Avançada GitHub is enabled. Para obter mais informações, consulte "Sobre Segurança Avançada GitHub".

Neste artigo

About using the CodeQL CLI for Varredura de código

You can use the CodeQL CLI to run Varredura de código on code that you're processing in a third-party continuous integration (CI) system. Varredura de código é um recurso que você usa para analisar o código em um repositório de GitHub para localizar vulnerabilidades de segurança e erros de codificação. Quaisquer problemas identificados pela análise são exibidos em GitHub. For information, see "About Varredura de código with CodeQL."

The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.

Alternatively, you can use GitHub Actions to run Varredura de código within GitHub. For information about Varredura de código using actions, see "Setting up Varredura de código for a repository." For an overview of the options for CI systems, see "About CodeQL Varredura de código in your CI system".

Note: The CodeQL CLI is free to use on public repositories that are maintained on GitHub.com, and available to use on private repositories that are owned by customers with an Segurança Avançada license. For information, see "GitHub CodeQL Terms and Conditions" and "CodeQL CLI."

Downloading the CodeQL CLI

You should download the CodeQL bundle from https://github.com/github/codeql-action/releases. The bundle contains:

CodeQL CLI product
A compatible version of the queries and libraries from https://github.com/github/codeql
Precompiled versions of all the queries included in the bundle

You should always use the CodeQL bundle as this ensures compatibility and also gives much better performance than a separate download of the CodeQL CLI and checkout of the CodeQL queries. If you will only be running the CLI on one specific platform, download the appropriate codeql-bundle-PLATFORM.tar.gz file. Alternatively, you can download codeql-bundle.tar.gz, which contains the CLI for all supported platforms.

Note: The CodeQL package management functionality, including CodeQL packs, is currently in beta and subject to change. To use this beta functionality, install the beta release of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.6.0-beta.1.

Setting up the CodeQL CLI in your CI system

You need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL Varredura de código analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from GitHub, ensuring that you benefit from the latest improvements to queries. Updates to the CodeQL CLI are released every 2-3 weeks. For example:

$ wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz
$ tar -xvzf ../codeql-bundle-linux64.tar.gz

After you extract the CodeQL CLI bundle, you can run the codeql executable on the server:

By executing /<extraction-root>/codeql/codeql, where <extraction-root> is the folder where you extracted the CodeQL CLI bundle.
By adding /<extraction-root>/codeql to your PATH, so that you can run the executable as just codeql.

Testing the CodeQL CLI set up

After you extract the CodeQL CLI bundle, you can run the following command to verify that the CLI is correctly set up to create and analyze databases.

codeql resolve qlpacks if /<extraction-root>/codeql is on the PATH.
/<extraction-root>/codeql/codeql resolve qlpacks otherwise.

Extract from successful output:

codeql-cpp (/<extraction-root>/codeql/qlpacks/codeql-cpp)
codeql-cpp-examples (/<extraction-root>/codeql/qlpacks/codeql-cpp-examples)
codeql-cpp-upgrades (/<extraction-root>/codeql/qlpacks/codeql-cpp-upgrades)
codeql-csharp (/<extraction-root>/codeql/qlpacks/codeql-csharp)
codeql-csharp-examples (/<extraction-root>/codeql/qlpacks/codeql-csharp-examples)
codeql-csharp-upgrades (/<extraction-root>/codeql/qlpacks/codeql-csharp-upgrades)
codeql-go (/<extraction-root>/codeql/qlpacks/codeql-go)
codeql-go-examples (/<extraction-root>/codeql/qlpacks/codeql-go-examples)
codeql-go-upgrades (/<extraction-root>/codeql/qlpacks/codeql-go-upgrades)
codeql-java (/<extraction-root>/codeql/qlpacks/codeql-java)
codeql-java-examples (/<extraction-root>/codeql/qlpacks/codeql-java-examples)
codeql-java-upgrades (/<extraction-root>/codeql/qlpacks/codeql-java-upgrades)
codeql-javascript (/<extraction-root>/codeql/qlpacks/codeql-javascript)
codeql-javascript-examples (/<extraction-root>/codeql/qlpacks/codeql-javascript-examples)
codeql-javascript-upgrades (/<extraction-root>/codeql/qlpacks/codeql-javascript-upgrades)
codeql-python (/<extraction-root>/codeql/qlpacks/codeql-python)
codeql-python-examples (/<extraction-root>/codeql/qlpacks/codeql-python-examples)
codeql-python-upgrades (/<extraction-root>/codeql/qlpacks/codeql-python-upgrades)
...

You should check that the output contains the expected languages and also that the directory location for the qlpack files is correct. The location should be within the extracted CodeQL CLI bundle, shown above as <extraction root>, unless you are using a checkout of github/codeql. If the CodeQL CLI is unable to locate the qlpacks for the expected languages, check that you downloaded the CodeQL bundle and not a standalone copy of the CodeQL CLI.

Generating a token for authentication with GitHub

Each CI server needs a aplicativo GitHub or personal access token for the CodeQL CLI to use to upload results to GitHub. You must use an access token or a aplicativo GitHub with the security_events write permission. If CI servers already use a token with this scope to checkout repositories from GitHub, you could potentially allow the CodeQL CLI to use the same token. Otherwise, you should create a new token with the security_events write permission and add this to the CI system's secret store. For information, see "Building Aplicativos do GitHub" and "Creating a personal access token."

Next steps

You're now ready to configure the CI system to run CodeQL analysis, generate results, and upload them to GitHub where the results will be matched to a branch or pull request and displayed as Varredura de código alerts. For detailed information, see "Configuring CodeQL CLI in your CI system."

Ajude-nos a tornar esses documentos ótimos!

Todos os documentos do GitHub são de código aberto. Você percebeu que algo que está errado ou não está claro? Envie um pull request.

Faça uma contribuição

Ou, aprenda como contribuir.

Ainda precisa de ajuda?

Pergunte à comunidade do GitHub Entrar em contato com o suporte

Jul	AUG	Sep
	13
2020	2021	2022