{"id":13566917,"url":"https://github.com/github/codeql-action","last_synced_at":"2026-04-01T19:50:16.563Z","repository":{"id":36991016,"uuid":"259445878","full_name":"github/codeql-action","owner":"github","description":"Actions for running CodeQL analysis","archived":false,"fork":false,"pushed_at":"2026-03-31T14:32:48.000Z","size":531183,"stargazers_count":1517,"open_issues_count":173,"forks_count":451,"subscribers_count":51,"default_branch":"main","last_synced_at":"2026-03-31T16:32:18.055Z","etag":null,"topics":["actions","advanced-security","ci","code-scanning","codeql","semmle-ql"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/github.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-27T20:36:30.000Z","updated_at":"2026-03-31T11:41:08.000Z","dependencies_parsed_at":"2024-01-22T10:42:37.264Z","dependency_job_id":"c3329e5a-d953-4324-ad36-7d34461f3541","html_url":"https://github.com/github/codeql-action","commit_stats":{"total_commits":3650,"total_committers":95,"mean_commits":"38.421052631578945","dds":0.7649315068493151,"last_synced_commit":"e817992b3db357f199b6e99216d3bf853dafd0fc"},"previous_names":[],"tags_count":536,"template":false,"template_full_name":null,"purl":"pkg:github/github/codeql-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fcodeql-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fcodeql-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fcodeql-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fcodeql-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/github","download_url":"https://codeload.github.com/github/codeql-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fcodeql-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","advanced-security","ci","code-scanning","codeql","semmle-ql"],"created_at":"2024-08-01T13:02:19.523Z","updated_at":"2026-04-01T19:50:16.542Z","avatar_url":"https://github.com/github.png","language":"TypeScript","readme":"# CodeQL Action\n\nThis action runs GitHub's industry-leading semantic code analysis engine, [CodeQL](https://codeql.github.com/), against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed on pull requests and in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.\n\nFor a list of recent changes, see the CodeQL Action's [changelog](CHANGELOG.md).\n\n## License\n\nThis project is released under the [MIT License](LICENSE).\n\nThe underlying CodeQL CLI, used in this action, is licensed under the [GitHub CodeQL Terms and Conditions](https://securitylab.github.com/tools/codeql/license). As such, this action may be used on open source projects hosted on GitHub, and on private repositories that are owned by an organisation with GitHub Advanced Security enabled.\n\n## Usage\n\nWe recommend using default setup to configure CodeQL analysis for your repository. For more information, see \"[Configuring default setup for code scanning](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).\"\n\nYou can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see \"[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)\" and \"[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).\"\n\n### Actions\n\nThis repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.\n\nActions for CodeQL analyses:\n\n- `init`: Sets up CodeQL for analysis. For information about input parameters, see the [init action definition](https://github.com/github/codeql-action/blob/main/init/action.yml).\n- `analyze`: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning. For information about input parameters, see the [analyze action definition](https://github.com/github/codeql-action/blob/main/analyze/action.yml).\n\nActions for uploading analyses generated by third-party tools:\n\n- `upload-sarif`: Uploads a SARIF file to Code Scanning. If you are using the `analyze` action, there is no reason to use this action as well. For information about input parameters, see the [upload-sarif action definition](https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml).\n\nActions with special purposes and unlikely to be used directly:\n\n- `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).\n- `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).\n- `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).\n- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.\n\n### Workflow Permissions\n\nAll advanced setup code scanning workflows must have the `security-events: write` permission. Workflows in private repositories must additionally have the `contents: read` permission. For more information, see \"[Assigning permissions to jobs](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs).\"\n\n### Build Modes\n\nThe CodeQL Action supports different build modes for analyzing the source code. The available build modes are:\n\n- `none`: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.\n- `autobuild`: The database will be created by attempting to automatically build the source code. Available for all compiled languages.\n- `manual`: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the `init` and `analyze` steps. Available for all compiled languages.\n\n#### Which build mode should I use?\n\nInterpreted languages must use `none` for the build mode.\n\nFor compiled languages:\n\n- `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.\n- `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.\n- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by Swift, Go, or Kotlin. It is in public preview for C/C++.\n\n\n## Supported versions of the CodeQL Action\n\nThe following versions of the CodeQL Action are currently supported:\n\n- v4 (latest)\n- v3\n\n## Supported versions of the CodeQL Bundle on GitHub Enterprise Server\n\nWe typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.\n\n| Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |\n|-----------------------|-------------------------------|--------------------|-------|\n| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |\n| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |\n| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |\n| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |\n| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |\n| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |\n| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |\n\nSee the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).\n\n## Keeping the CodeQL Action up to date in advanced setups\n\nIf you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.\n\nIf you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.\n\n## Troubleshooting\n\nRead about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).\n\n## Contributing\n\nThis project welcomes contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to build, install, and contribute.\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fcodeql-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithub%2Fcodeql-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fcodeql-action/lists"}