github/codeql-action: Run CodeQL Code Scanning
codeql-action runs CodeQL static analysis and uploads alerts to GitHub code scanning.
It is a multi-step action: init sets up the database, an optional autobuild compiles, and analyze runs queries and uploads results to the Security tab.
Key steps and inputs
- codeql-action/init with languages: e.g. javascript, python.
- codeql-action/autobuild for compiled languages.
- codeql-action/analyze to run queries and upload.
- queries: extra query suites to run.
- category: label results when scanning multiple configs.
Example workflow
.github/workflows/ci.yml
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: javascript
- uses: github/codeql-action/analyze@v3On any runner
CodeQL runs on any runner. Latchkey managed runners run it unchanged.
Key takeaways
- Use init then analyze; add autobuild for compiled languages.
- Needs permissions: security-events: write to upload alerts.
- languages drives which queries run.
Related guides
actions/attest-build-provenance: Sign Build ProvenanceReference for actions/attest-build-provenance: generate signed SLSA build provenance attestations for your ar…
codecov/codecov-action: Upload Coverage ReportsReference for codecov/codecov-action: upload test coverage reports to Codecov with a token, flags, and file p…
sigstore/cosign-installer: Install Cosign to Sign ImagesReference for sigstore/cosign-installer: install the Cosign CLI in a workflow to sign and verify container im…