Automatic code review tools

Scanning for security vulnerabilities with CodeQL

CodeQL is a tool developed by GitHub that helps software developers to detect and mitigate security vulnerabilities in their code. Instead of manually inspecting the code for security vulnerabilities for example using a secure code review checklist, CodeQL allows the scanning of code automatically. Automatic code scanning to detect security vulnerabilities is highly effective and efficient. It uses a unique approach based on semantic analysis, which allows it to understand the intent behind the code and identify potential security issues that traditional scanning tools might miss.

Who should use CodeQL

CodeQL can be used in several stages of the software development lifecycle, including during development, when reviewing code changes, and when performing security assessments. It can also be used during static application security testing. Developers can use it to write custom queries that can identify specific security patterns in the code and help them quickly fix vulnerabilities. Code reviewers can use it to perform thorough code scans and to enforce security policies. Security professionals can use it to perform thorough security assessments and to prioritize issues based on risk and impact.

How to use CodeQL

To use CodeQL, developers need to install the CodeQL CLI tool on their local machine, and then write queries using the CodeQL query language. They can then run these queries on their codebase to get a report of any security issues found. The report provides details about each issue, including the location in the code, the type of vulnerability, and recommended remediation steps.

CodeQL during code review

During code review, a developer can use CodeQL to perform a thorough security scan of the code changes being reviewed. The developer can then review the report and make any necessary changes to the code to fix the security issues. They can also use the report to discuss any issues with the code’s author and to make decisions about whether to approve or reject the code changes.

CodeQL Integration

CodeQL supports multiple programming languages, including C, C++, Java, JavaScript, Python, and others. It also integrates with GitHub Actions, which makes it easy to automate security scans as part of the software development workflow.

Predefined queries

CodeQL provides both predefined queries based on pre-existing security rules and the ability for developers to write their own custom queries to meet the specific needs of the organization. The predefined queries cover a range of security patterns and vulnerabilities and are designed to be a starting point for developers who are new to using CodeQL. The predefined queries are available in the CodeQL database and can be easily run against a codebase. They provide a convenient way to quickly identify common security issues and to get started using CodeQL.

Custom queries

However, predefined queries may not cover every security scenario, and developers may need to write their own custom queries to address specific security concerns. Writing custom queries can be useful in cases where a specific security pattern needs to be identified, or where an organization has specific security policies that need to be enforced. Custom queries can also be used to scan for more complex security scenarios that are not covered by the predefined queries.

CodeQL Example

One example of CodeQL’s use is in identifying Cross-Site Scripting (XSS) vulnerabilities. XSS is a type of security issue where an attacker can inject malicious code into a website, which is then executed by the victim’s browser. CodeQL provides a built-in query for detecting XSS vulnerabilities, which can be run against a codebase to identify any issues. The query analyzes the code for instances where user-controlled data is dynamically embedded into the web page without being properly sanitized, which is a common cause of XSS vulnerabilities.


In conclusion, CodeQL is a powerful tool for identifying security vulnerabilities in software code. It uses a unique approach based on semantic analysis and supports multiple programming languages, making it a versatile tool that can be used throughout the software development lifecycle. By automating security scans and providing detailed information about vulnerabilities, CodeQL can help software developers to write more secure code and to mitigate security risks.

Learn further about the 10 best code review tools, or about Codiga, another static analysis tool that helps to automate the boring parts of code reviews and focuses on clean code.

This article first appeared on Last updated: February 14, 2023

Profile picture of Michaela Greiler

Written by Dr. Michaela Greiler who is obsessed with making code reviews your superpower. Learn more about her workshops.