CodeQL is the code analysis platform used by security researchers to automate variant analysis—the process of using a known software security vulnerability as the seed for finding related bugs.

  • CodeQL treats your codebase as data and models security vulnerabilities as queries.
  • CodeQL comes with open source queries written by language experts and advanced security researchers—running these queries over your code automatically highlights potential security bugs directly in your source code.
  • CodeQL is customizable. Write new queries or develop existing ones to find logical variants of known bugs, and eliminate whole classes of the most serious errors from your code.

Visit the links below to learn more about analyzing your project from the command line using the CodeQL command-line interface and running CodeQL analysis in Visual Studio Code using the CodeQL extension.

To find out more about the technology behind CodeQL, see How does CodeQL work?.

To find out how to write queries, visit Learning CodeQL.


If you’ve used previously used the QL command-line tools, you’ll notice a few differences. For more information, see Notes for legacy QL CLI users.

CodeQL for Visual Studio Code extension

CodeQL databases can be analyzed in Visual Studio Code using the CodeQL extension, which provides an enhanced environment for writing and running custom queries and viewing the results.

CodeQL command-line interface

The CodeQL command-line interface (CLI) is used to create databases for variant analysis. You can query them directly from the command line or using the Visual Studio Code extension.