Introducing CodeQL

On September 18th 2019, we announced that Semmle was joining the GitHub family.

This is a fantastic next step towards our goal to secure the world’s software.

With this combined power come some exciting changes:

  • Firstly, the “QL” product and tooling has been renamed to CodeQL, and more of the query technology is now free to use for analyzing open source codebases.
  • Secondly, what was previously called a “QL snapshot” is now a CodeQL database.

GitHub code scanning and LGTM alerts are generated by queries that run on CodeQL databases: a structural representation of source code. If you want to develop and run your own queries locally on open source codebases, you can build your own CodeQL database. Alternatively, you can download a database from LGTM.com.

The CodeQL command-line interface (CLI) is freely available for anyone to use on open source code. For details and access, see CodeQL in the GitHub Security Lab.

Together with the release of the CodeQL CLI, there is also a much more powerful and new IDE extension for VS Code, which has replaced the Eclipse-based workflow for writing and running queries.