Skip to content
Latchkey

How to Run CodeQL Analysis in GitHub Actions

CodeQL runs deep static analysis and reports findings as code-scanning alerts.

Initialize CodeQL for your languages, build the code, then run the analyze step. Results land in the Security tab as alerts.

Steps

  • Grant security-events: write permission.
  • Run github/codeql-action/init with your language matrix.
  • Build, then run github/codeql-action/analyze.

Workflow

.github/workflows/codeql.yml
permissions:
  security-events: write
jobs:
  analyze:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        language: ['javascript', 'python']
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/analyze@v3

Gotchas

  • Compiled languages need an explicit build step between init and analyze.
  • Run CodeQL on a schedule plus pull requests so new code is always covered.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →