Security Scanning on GitHub code repo using CodeQL

What is CodeQL?

CodeQL is a code analysis engine and query tool for running security vulnerability checks to find out vulnerabilities across a repository. CodeQL treats code like data. When we run CodeQL, it extracts a single relational representation of each file in the codebase to create CodeQL database. Then it runs queries against the database to find out security vulnerabilities, bugs and other errors. Finally, it converts query results and highlights potential issues that needs fixing.

At present, CodeQL supports C++, C#, Python, Java, JavaScript, Go, Ruby languages.

In this quick start demo we are going to use a simple python application using Flask framework.

To demonstrate how CodeQL find outs vulnerabilities and errors, we are intentionally printing a dummy password in our code.

from flask import Flask
app = Flask(__name__)

password = "xyz"

def hello():
    return "Hello, This is CodeQL demo!"

if __name__ == "__main__":

you can clone the demo repo locally to take a closer look.

we are going to use following workflow definition(.github/workflows/codeql.yml) for CodeQL security check as a GitHub action.

name: "CodeQL"

    branches: [ "master" ]
    branches: [ "master" ]
    - cron: '36 18 * * 6'

    name: Analyze
    runs-on: ubuntu-latest
      actions: read
      contents: read
      security-events: write

      fail-fast: false
        language: [ 'python' ]

    - name: Checkout repository
      uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
        languages: ${{ matrix.language }}
    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2

When we commit the code, GitHub actions will trigger a workflow for CodeQL security scanning. see below screen shots.

Once CodeQL analysis is finished, results will be published to GitHub repo’s Security section.. see below screen shots.

Under Security tab you can see there is an alert

Click on “Code scanning alerts” to see the last scan results and open issues.

If you click on Open issue you can see more details about the scanning alert.

Once we fix the password print issue and merge the code, the alert will be closed in “Code scanning alerts” section automatically.


In this quick demo, we have covered what is CodeQL and how to use it to scan git repo code base. For further information you can read official documentation.

Find out about similar Security Scanning Tools:

Security Scanning in GitHub CI/CD workflow using Trivy

Vulnerability Scanning in GitHub CI/CD Workflow using Grype

Leave a ReplyCancel reply

Exit mobile version