About the CodeQL CLI
Software developers and security researchers can secure their code using CodeQL analysis. For more information about CodeQL, see "À propos de l’analyse du code avec CodeQL."
CodeQL CLI est un produit autonome que vous pouvez utiliser pour analyser le code. Son objectif principal est de générer une représentation de base de données d’un codebase, une base de données CodeQL. Une fois que la base de données est prête, vous pouvez l’interroger de manière interactive, ou exécuter une suite de requêtes pour générer un ensemble de résultats au format SARIF et charger les résultats dans GitHub.com.
You can use the CodeQL CLI to:
- Run CodeQL analyses using queries provided by GitHub engineers and the open source community
- Generate code scanning alerts that you can upload to display in GitHub
- Create CodeQL databases to use in the CodeQL for Visual Studio Code extension.
- Develop and test custom CodeQL queries to use in your own analyses
The CodeQL CLI can analyze:
- Dynamic languages, for example, JavaScript and Python.
- Compiled languages, for example, C/C++, C#, Go, and Java.
- Codebases written in a mixture of languages.
For information about setting up the CodeQL CLI, see "Setting up the CodeQL CLI."
For information about using the CodeQL CLI in a third-party CI system to create results to display in GitHub as code scanning alerts, see Configuring CodeQL CLI in your CI system. For information about enabling CodeQL code scanning using GitHub Actions, see "Définition de la configuration par défaut pour l’analyse du code" and "Définition de la configuration avancée pour l’analyse du code."
About using the CodeQL CLI for code scanning
You can use the CodeQL CLI to run code scanning on code that you're processing in a third-party continuous integration (CI) system. Code scanning es une fonctionnalité que vous utilisez pour analyser le code dans un dépôt GitHub afin de détecter d’éventuelles vulnérabilités de sécurité et erreurs de codage. Tous les problèmes identifiés par l’analyse sont affichés dans GitHub. For an overview of the options for CI systems, see "À propos de l’analyse du code CodeQL dans votre système d’intégration continue." For recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis, see "Ressources matérielles recommandées pour l’exécution de CodeQL."
Alternatively, you can use GitHub Actions or Azure DevOps pipelines to scan code using the CodeQL CLI. For more information, see "Définition de la configuration par défaut pour l’analyse du code" or Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.
For an overview of all the options for using CodeQL analysis for code scanning, see "À propos de l’analyse du code avec CodeQL."
Remarques :
- L’utilisation de CodeQL CLI est gratuite sur les dépôts publics. CodeQL CLI est également disponible dans des dépôts privés appartenant à des organisations qui utilisent GitHub Enterprise Cloud et ont une licence pour GitHub Advanced Security. Pour plus d’informations, consultez « Conditions générales de GitHub CodeQL » et « Interface CLI de CodeQL ».
- CodeQL CLI n’est actuellement pas compatible avec les distributions Linux non-glibc comme Alpine Linux (basée sur musl).
About generating code scanning results with CodeQL CLI
If you choose to run the CodeQL CLI directly, you first have to install the CodeQL CLI locally. If you are planning to use the CodeQL CLI with an external CI system, you need to make the CodeQL CLI available to servers in your CI system, and ensure that they can authenticate with GitHub. For more information, see "Setting up the CodeQL CLI."
Once the CodeQL CLI is set up, you can use three different commands to generate results and upload them to GitHub:
database createto create a CodeQL database to represent the hierarchical structure of each supported programming language in the repository. For more information, see "Preparing your code for CodeQL analysis."database analyzeto run queries to analyze each CodeQL database and summarize the results in a SARIF file. For more information, see "Analyzing your code with CodeQL queries."github upload-resultsto upload the resulting SARIF files to GitHub where the results are matched to a branch or pull request and displayed as code scanning alerts. For more information, see "Uploading CodeQL analysis results to GitHub."
About the GitHub CodeQL license
License notice: If you don’t have a GitHub Enterprise license then, by installing this product, you are agreeing to the GitHub CodeQL Terms and Conditions.
GitHub CodeQL is licensed on a per-user basis. Under the license restrictions, you can use CodeQL to perform the following tasks:
- To perform academic research.
- To demonstrate the software.
- To test CodeQL queries that are released under an OSI-approved License to confirm that new versions of those queries continue to find the right vulnerabilities.
Where "OSI-approved License" means an Open Source Initiative (OSI)-approved open source software license.
If you are working with an Open Source Codebase (that is, a codebase that is released under an OSI-approved License) you can also use CodeQL for the following tasks:
- To perform analysis of the Open Source Codebase.
- If the Open Source Codebase is hosted and maintained on GitHub.com, to generate CodeQL databases for or during automated analysis, continuous integration, or continuous delivery.
CodeQL can’t be used for automated analysis, continuous integration or continuous delivery, whether as part of normal software engineering processes or otherwise, except in the express cases set forth herein. For these uses, contact the sales team.