Skip to content
Latchkey

Adding CodeQL to GitHub Actions

Run GitHub CodeQL static analysis to find security bugs in your code on every PR.

CodeQL is GitHub's semantic code analysis engine for finding security vulnerabilities. The workflow has three steps: init (pick languages), build (autobuild or manual for compiled languages), and analyze. Results land directly in the repo Security tab.

What you need

  • security-events: write permission on the job.
  • A language matrix (javascript, python, java, etc.).
  • For compiled languages, a working build (autobuild or your own commands).

The workflow

Init, build, then analyze for each language in the matrix.

.github/workflows/codeql.yml
jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    strategy:
      matrix:
        language: [javascript, python]
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3

Common gotchas

  • Compiled languages often need a manual build; autobuild guesses and can miss code.
  • CodeQL is CPU-heavy and slow on large repos - schedule it instead of running on every push.
  • security-events: write is required or analyze cannot upload results.

Key takeaways

  • CodeQL runs as init then build then analyze, per language.
  • Compiled languages may need a manual build step.
  • It needs security-events: write to publish findings.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →