Introducing CodeQL

On September 18, we announced that Semmle is joining the GitHub family.

This is a fantastic next step towards our goal to secure the world’s software.

With this combined power come some exciting changes:

  • Firstly, the “QL” product and tooling has been renamed to CodeQL, and more of the query technology is now free to use for analyzing open source codebases.
  • Secondly, what was previously called a “QL snapshot” is now a CodeQL database.

LGTM alerts are generated by queries that run on CodeQL databases: a structural representation of source code. These databases can be downloaded from LGTM.com for anyone to develop and run their own queries locally. If you prefer to build your own CodeQL database for an open source codebase, this is now also possible!

The CodeQL command-line interface (CLI) is now freely available for anyone to use on open source code. For details and access, see CodeQL in the GitHub Security Lab.

Together with the release of the CodeQL CLI, there is also a much more powerful and new IDE extension for VS Code, which will replace the Eclipse-based workflow for writing and running queries.

Additional information for Enterprise customers

The CodeQL CLI is a new and improved command-line interface to create and query CodeQL databases. Such databases (formerly known as snapshots) were previously constructed using the QL command-line tool, odasa. If you currently use this tool, you are encouraged to start using the new CodeQL CLI which offers a much more streamlined experience while offering the same functionality. The odasa command will remain available to existing Enterprise customers who have integrated it into their workflows.