CodeQL is the code analysis platform used by security researchers to automate variant analysis—the process of using a known software security vulnerability as the seed for finding related bugs.

Visit the links below to learn more about CodeQL, analyzing your project from the command line using the CodeQL command-line interface, and running CodeQL analysis in Visual Studio Code.


If you’ve previously used the QL command-line tools, you’ll notice a few differences. For more information, see Notes for legacy QL CLI users.

  • About CodeQL: CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis.
  • CodeQL for Visual Studio Code extension: You can analyze CodeQL databases in Visual Studio Code using the CodeQL extension, which provides an enhanced environment for writing and running custom queries and viewing the results.
  • CodeQL command-line interface: The CodeQL command-line interface (CLI) is used to create databases for security research. You can query CodeQL databases directly from the command line or using the Visual Studio Code extension.