How to Run CodeQL Analysis in GitHub Actions
CodeQL runs deep static analysis and reports findings as code-scanning alerts.
Initialize CodeQL for your languages, build the code, then run the analyze step. Results land in the Security tab as alerts.
Steps
- Grant
security-events: writepermission. - Run
github/codeql-action/initwith your language matrix. - Build, then run
github/codeql-action/analyze.
Workflow
.github/workflows/codeql.yml
permissions:
security-events: write
jobs:
analyze:
runs-on: ubuntu-latest
strategy:
matrix:
language: ['javascript', 'python']
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- uses: github/codeql-action/analyze@v3Gotchas
- Compiled languages need an explicit build step between init and analyze.
- Run CodeQL on a schedule plus pull requests so new code is always covered.
Related guides
How to Run a Trivy Security Scan in GitHub ActionsScan a container image or filesystem for vulnerabilities in GitHub Actions with Aqua Trivy, failing the build…
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…