Adding CodeQL to GitHub Actions
Run GitHub CodeQL static analysis to find security bugs in your code on every PR.
CodeQL is GitHub's semantic code analysis engine for finding security vulnerabilities. The workflow has three steps: init (pick languages), build (autobuild or manual for compiled languages), and analyze. Results land directly in the repo Security tab.
What you need
- security-events: write permission on the job.
- A language matrix (javascript, python, java, etc.).
- For compiled languages, a working build (autobuild or your own commands).
The workflow
Init, build, then analyze for each language in the matrix.
.github/workflows/codeql.yml
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
matrix:
language: [javascript, python]
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3Common gotchas
- Compiled languages often need a manual build; autobuild guesses and can miss code.
- CodeQL is CPU-heavy and slow on large repos - schedule it instead of running on every push.
- security-events: write is required or analyze cannot upload results.
Key takeaways
- CodeQL runs as init then build then analyze, per language.
- Compiled languages may need a manual build step.
- It needs security-events: write to publish findings.
Related guides
Adding Semgrep to GitHub ActionsRun Semgrep SAST in GitHub Actions with a ruleset, emit SARIF for code scanning, and fail PRs on new findings.
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Adding Trivy Container Scanning to GitHub ActionsScan container images for vulnerabilities with Trivy in GitHub Actions, fail on critical CVEs, and upload SAR…