The Wayback Machine - https://web.archive.org/web/20230323015852/https://docs.github.com/zh/[email protected]/code-security/code-scanning/using-the-codeql-cli/getting-started-with-the-codeql-cli
Skip to main content

This version of GitHub Enterprise was discontinued on 2023-01-18. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Getting started with the CodeQL CLI

To get started with the CodeQL CLI, you need to set up the CLI so that it can access the tools and libraries required to create and analyze databases.

GitHub CodeQL is licensed on a per-user basis upon installation. You can use CodeQL only for certain tasks under the license restrictions. For more information, see "About the GitHub CodeQL license."

If you have a GitHub Enterprise account and GitHub Advanced Security license, you can use CodeQL for automated analysis, continuous integration and continuous delivery. You can create an enterprise account by contacting the sales team. For more information, see "About GitHub Advanced Security."

Note: This article was migrated from the CodeQL documentation website in January 2023.

Getting started with the CodeQL CLI

To run CodeQL commands, you need to set up the CLI so that it can access the tools, queries, and libraries required to create and analyze databases.

Setting up the CodeQL CLI

The CodeQL CLI can be set up to support many different use cases and directory structures. To get started quickly, we recommend adopting a relatively simple setup, as outlined in the steps below.

If you use Linux, Windows, or macOS version 10.14 (“Mojave”) or earlier, simply follow the steps below. For macOS version 10.15 (“Catalina”) or newer, steps 1 and 4 are slightly different—for further details, see the sections labeled Information for macOS “Catalina” (or newer) users. If you are using macOS on Apple Silicon (e.g. Apple M1), ensure that the Xcode command-line developer tools and Rosetta 2 are installed.

Note: The CodeQL CLI is currently not compatible with non-glibc Linux distributions such as (muslc-based) Alpine Linux.

For information about installing the CodeQL CLI in a CI system to create results to display in GitHub as code scanning alerts, see Installing CodeQL CLI in your CI system.

1. Download the CodeQL CLI zip package

The CodeQL CLI download package is a zip archive containing tools, scripts, and various CodeQL-specific files. If you don’t have a GitHub Enterprise license then, by downloading this archive, you are agreeing to the GitHub CodeQL Terms and Conditions.

Important: There are several versions of the CLI available to download, depending on your use case:

  • If you want to use the most up to date CodeQL tools and features, download the version tagged latest.
  • If you want to generate code scanning data to upload to GitHub Enterprise server, then download the version that is compatible with the CodeQL CLI used in your CI system. For more information, see “Installing CodeQL CLI in your CI system.”

If you use Linux, Windows, or macOS version 10.14 (“Mojave”) or earlier, simply download the zip archive for the version you require.

If you want the CLI for a specific platform, download the appropriate codeql-PLATFORM.zip file. Alternatively, you can download codeql.zip, which contains the CLI for all supported platforms.

Information for macOS “Catalina” (or newer) users

If you use macOS version 10.15 (“Catalina”), version 11 (“Big Sur”), or the upcoming version 12 (“Monterey”), you need to ensure that your web browser does not automatically extract zip files. If you use Safari, complete the following steps before downloading the CodeQL CLI zip archive:

  1. Open Safari.
  2. From the Safari menu, select Preferences….
  3. Click the General Tab.
  4. Ensure the check-box labeled Open “safe” files after downloading is unchecked.

2. Extract the zip archive

For Linux, Windows, and macOS users (version 10.14 “Mojave”, and earlier) simply extract the zip archive.

Information for macOS “Catalina” (or newer) users

macOS “Catalina”, “Big Sur”, or “Monterey” users should run the following commands in the Terminal, where ${extraction-root} is the path to the directory where you will extract the CodeQL CLI zip archive:

  1. mv ~/Downloads/codeql\*.zip ${extraction-root}
  2. cd ${extraction-root}
  3. /usr/bin/xattr -c codeql\*.zip
  4. unzip codeql\*.zip

3. Launch codeql

Once extracted, you can run CodeQL processes by running the codeql executable in a couple of ways:

  • By executing <extraction-root>/codeql/codeql, where <extraction-root> is the folder where you extracted the CodeQL CLI package.
  • By adding <extraction-root>/codeql to your PATH, so that you can run the executable as just codeql.

At this point, you can execute CodeQL commands. For a full list of the CodeQL CLI commands, see the “CodeQL CLI manual.”

Note: If you add codeql to your PATH, it can be accessed by CodeQL for Visual Studio Code to compile and run queries. For more information about configuring VS Code to access the CodeQL CLI, see "Setting up CodeQL in Visual Studio Code."

4. Verify your CodeQL CLI setup

CodeQL CLI has subcommands you can execute to verify that you are correctly set up to create and analyze databases:

  • Run codeql resolve languages to show which languages are available for database creation. This will list the languages supported by default in your CodeQL CLI package.

Alternatively, you can download query packs during the analysis by using the --download flag of the codeql database analyze command.

Checking out the CodeQL source code directly

Some users prefer working with CodeQL query sources directly in order to work on or contribute to the Open Source shared queries. In order to do this, the following steps are recommended. Note that the following instructions are a slightly more complicated alternative to working with CodeQL packages as explained above.

1. Download the CodeQL CLI zip

Follow step 1 from the previous section.

2. Create a new CodeQL directory

Create a new directory where you can place the CLI and any queries and libraries you want to use. For example, $HOME/codeql-home.

The CLI’s built-in search operations automatically look in all of its sibling directories for the files used in database creation and analysis. Keeping these components in their own directory prevents the CLI searching unrelated sibling directories while ensuring all files are available without specifying any further options on the command line.

3. Obtain a local copy of the CodeQL queries

The CodeQL repository contains the queries and libraries required for CodeQL analysis of all supported languages. Clone a copy of this repository into codeql-home.

By default, the root of the cloned repository will be called codeql. Rename this folder codeql-repo to avoid conflicting with the CodeQL CLI that you will extract in step 4. If you use git on the command line, you can clone and rename the repository in a single step by running git clone [email protected]:github/codeql.git codeql-repo in the codeql-home folder.

Note: The CodeQL libraries and queries for Go analysis used to live in a separate CodeQL for Go repository. These have been moved to the github/codeql repository. It is no longer necessary to clone the github/codeql-go into a separate codeql-home/codeql-go folder.

For more information, see the Relocation announcement.

Important: There are different versions of the CodeQL queries available for different users. Check out the correct version for your use case:

  • For the queries that are intended to be used with the latest CodeQL CLI release, check out the branch tagged codeql-cli/latest. You should use this branch for databases you’ve built using the CodeQL CLI, fetched from code scanning on GitHub, or recently downloaded from GitHub.com.
  • For the most up to date CodeQL queries, check out the main branch. This branch represents the very latest version of CodeQL’s analysis.

4. Extract the zip archive

For Linux, Windows, and macOS users (version 10.14 “Mojave”, and earlier) simply extract the zip archive into the directory you created in step 2.

For example, if the path to your copy of the CodeQL repository is $HOME/codeql-home/codeql-repo, then extract the CLI into $HOME/codeql-home/.

5. Launch codeql

See step 3 from the previous section.

6. Verify your CodeQL CLI setup

CodeQL CLI has subcommands you can execute to verify that you are correctly set up to create and analyze databases:

  • Run codeql resolve languages to show which languages are available for database creation. This will list the languages supported by default in your CodeQL CLI package.
  • Run codeql resolve qlpacks to show which CodeQL packs the CLI can find. This will display the names of all the CodeQL packs directly available to the CodeQL CLI. This should include:
  • Query packs for each supported language, for example, codeql/{language}-queries. These packs contain the standard queries that will be run for each analysis.
  • Library packs for each supported language, for example, codeql/{language}-all. These packs contain query libraries, such as control flow and data flow libraries, that may be useful to query writers.
  • Example packs for each supported language, for example, codeql/{language}-examples. These packs contain useful snippets of CodeQL that query writers may find useful.
  • Legacy packs that ensure custom queries and libraries created using older products are compatible with your version of CodeQL.

Using two versions of the CodeQL CLI

If you want to use the latest CodeQL features to execute queries or CodeQL tests, but also want to prepare databases that are compatible with a specific version of CodeQL code scanning on GitHub Enterprise Server, you may need to install two versions of the CLI. The recommended directory setup depends on which versions you want to install:

  • If both versions are 2.0.2 (or newer), you can unpack both CLI archives in the same parent directory.
  • If at least one of the versions is 2.0.1 (or older), the unpacked CLI archives cannot be in the same parent directory, but they can share the same grandparent directory. For example, if you unpack version 2.0.2 into $HOME/codeql-home/codeql-cli, the older version should be unpacked into $HOME/codeql-older-version/old-codeql-cli. Here, the common grandparent is the $HOME directory.