Domain 5: Use code scanning with CodeQL (20%) โ
โ Domain 4 ยท Next Domain โ
Exam Tip
Know the difference between default setup and advanced setup, and when to use each. Understand the different CodeQL query suites and what CodeQL packs are used for.
What is CodeQL? โ
CodeQL is a semantic code analysis engine that treats code as data, allowing you to query it for vulnerability patterns. It powers GitHub's native code scanning feature.
Supported Languages โ
- C / C++
- C# / .NET
- Go
- Java / Kotlin
- JavaScript / TypeScript
- Python
- Ruby
- Swift (for iOS/macOS apps)
CodeQL Setup Options โ
Default Setup โ
The fastest way to enable CodeQL โ GitHub automatically:
- Detects the languages in your repository
- Selects the appropriate query suite (security-extended)
- Configures scan triggers (push to default branch, PRs to default branch)
- No workflow YAML file needed
Enable via: Settings โ Code security โ Code scanning โ Set up โ Default
Best for
Repositories where you want immediate, zero-configuration scanning. Ideal for most projects.
Advanced Setup โ
A GitHub Actions workflow file (.github/workflows/codeql.yml) gives you full control over:
- Which query suites to run (default, extended, custom)
- Which branches to scan
- Scan schedule (cron)
- Build commands for compiled languages
- Custom CodeQL packs
Enable via: Settings โ Code security โ Code scanning โ Set up โ Advanced
Example Advanced CodeQL Workflow โ
name: CodeQL Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Every Monday at 2am UTC
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
matrix:
language: [javascript, python]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended # or: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3Comparing Default vs Advanced Setup โ
| Default Setup | Advanced Setup | |
|---|---|---|
| Configuration | Zero YAML โ GitHub auto-configures | .github/workflows/codeql.yml required |
| Language detection | Automatic | Manual (matrix configuration) |
| Query suite | security-extended (auto) | Configurable (any suite or custom queries) |
| Schedule | On push and PR to default branch | Fully configurable (cron, any branch) |
| Build step | Automatic (autobuild) | Manual (specify build commands) |
| Best for | Quick start, standard projects | Monorepos, compiled languages needing custom build, custom queries |
CodeQL Query Suites โ
CodeQL includes predefined query suites to group vulnerabilities and checks together:
| Suite | Description | When to use |
|---|---|---|
security-extended (default) | Security queries + additional CWE coverage | Most repositories |
security-and-quality | Security + code quality queries (can be noisy) | When you want code quality coverage too |
| Custom packs | Your own or third-party CodeQL queries | Specialized security requirements |
Exam Trap
Default setup uses the security-extended query suite by default โ not security-and-quality. The quality suite generates more alerts and is not enabled by default because it may produce more noise.
Troubleshooting CodeQL Scanning โ
| Problem | Likely Cause | Fix |
|---|---|---|
| No alerts generated | Language not supported or wrong language config | Verify language matrix in workflow |
| Autobuild fails | Compiled language requires specific build steps | Use advanced setup with manual build commands |
| Too many alerts (noise) | security-and-quality suite enabled | Switch to security-extended |
Domain 5 Quick Quiz
What is the difference between CodeQL default setup and advanced setup?
(Click to reveal)codeql.yml workflow for custom query suites, build steps, and schedules โ maximum control.