Skip to content
Latchkey

github/codeql-action: Run CodeQL Code Scanning

codeql-action runs CodeQL static analysis and uploads alerts to GitHub code scanning.

It is a multi-step action: init sets up the database, an optional autobuild compiles, and analyze runs queries and uploads results to the Security tab.

Key steps and inputs

  • codeql-action/init with languages: e.g. javascript, python.
  • codeql-action/autobuild for compiled languages.
  • codeql-action/analyze to run queries and upload.
  • queries: extra query suites to run.
  • category: label results when scanning multiple configs.

Example workflow

.github/workflows/ci.yml
jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript
      - uses: github/codeql-action/analyze@v3

On any runner

CodeQL runs on any runner. Latchkey managed runners run it unchanged.

Key takeaways

  • Use init then analyze; add autobuild for compiled languages.
  • Needs permissions: security-events: write to upload alerts.
  • languages drives which queries run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →