Advanced setup of the CodeQL CLI

You can modify your CodeQL CLI setup to use a local checkout of the CodeQL repository for analysis, set up multiple versions of the CodeQL CLI, and analyze databases you have downloaded from GitHub.

누가 이 기능을 사용할 수 있나요?

CodeQL은(는) 다음 리포지토리 유형에 사용할 수 있습니다.

이 문서의 내용

About advanced setup of the CodeQL CLI

If you plan to use CodeQL for more than just code scanning, you may prefer an advanced setup of the CodeQL CLI.

  • If you want to contribute to open source shared CodeQL queries, you may prefer working with the CodeQL source code directly.
  • If you want to use the latest CodeQL features to generate code scanning alerts for a codebase, but also want to analyze another codebase that is only compatible with a specific version of the CodeQL CLI, you may want to install multiple versions of the CodeQL CLI.
  • If you are researching or developing queries, you may want to download interesting or unique databases from GitHub.com.

For information on the most simple setup of the CodeQL CLI, see Setting up the CodeQL CLI.

Checking out the CodeQL source code directly

Some users prefer working with CodeQL query sources directly in order to work on or contribute to the Open Source shared queries. In order to do this, the following steps are recommended.

1. Download the CodeQL CLI tar archive

CodeQL CLI 다운로드 패키지는 도구, 스크립트 및 다양한 CodeQL 관련 파일을 포함하는 tar 보관 파일입니다. GitHub Enterprise 라이선스가 없는 경우, 이 보관 파일을 다운로드하면 GitHub CodeQL 이용 약관에 동의하는 것으로 간주됩니다.

https://github.com/github/codeql-action/releases에서 CodeQL 번들을 다운로드해야 합니다. 번들에는 다음이 포함됩니다.

항상 CodeQL 번들을 사용해야 합니다. 이 번들은 호환성을 보장하고 CodeQL CLI 쿼리를 별도로 다운로드하고 CodeQL 쿼리를 체크 아웃하는 것보다 훨씬 나은 성능을 제공합니다. 하나의 특정 플랫폼에서만 CLI를 실행하는 경우 적절한 codeql-bundle-PLATFORM.tar.zst 파일을 다운로드합니다. 또는 지원되는 모든 플랫폼에 해당하는 CLI가 포함된 codeql-bundle.tar.zst를 다운로드할 수 있습니다.

번들의 tar.gz 변형도 있으며, 효율성이 떨어지는 gzip 알고리즘을 사용하여 압축된다는 점을 제외하고는 tar.zst 변형과 동일합니다. tar.gz 변형을 다운로드하는 유일한 이유는 표준 압축 알고리즘을 지원하지 않는 이전 압축 해제 도구를 사용하는 경우입니다.

2. Create a new CodeQL directory

Create a new directory where you can place the CLI and any queries and libraries you want to use. For example, $HOME/codeql-home.

The CLI’s built-in search operations automatically look in all of its sibling directories for the files used in database creation and analysis. Keeping these components in their own directory prevents the CLI searching unrelated sibling directories while ensuring all files are available without specifying any further options on the command line.

3. Obtain a local copy of the CodeQL queries

The CodeQL repository contains the queries and libraries required for CodeQL analysis of all supported languages. Clone a copy of this repository into codeql-home.

By default, the root of the cloned repository will be called codeql. Rename this folder codeql-repo to avoid conflicting with the CodeQL CLI that you will extract in step 1. If you use git on the command line, you can clone and rename the repository in a single step by running git clone git@github.com:github/codeql.git codeql-repo in the codeql-home folder.

Within this repository, the queries and libraries are organized into CodeQL packs. Along with the queries themselves, CodeQL packs contain important metadata that tells the CodeQL CLI how to process the query files. For more information, see Creating and working with CodeQL packs.

참고 항목

There are different versions of the CodeQL queries available for different users. Check out the correct version for your use case:

  • For the queries that are intended to be used with the latest CodeQL CLI release, check out the branch tagged codeql-cli/latest. You should use this branch for databases you’ve built using the CodeQL CLI or recently downloaded from GitHub.
  • For the most up to date CodeQL queries, check out the main branch. This branch represents the very latest version of CodeQL’s analysis.

4. Extract the CodeQL CLI tar archive

Extract the tar archive into the directory you created in step 2.

For example, if the path to your copy of the CodeQL repository is $HOME/codeql-home/codeql-repo, then extract the CLI into $HOME/codeql-home/.

5. Launch codeql

추출한 후에는 codeql 실행 파일을 몇 가지 방법으로 실행하여 CodeQL 프로세스를 실행할 수 있습니다.

  • <extraction-root>/codeql/codeql을(를) 실행합니다. 여기서 <extraction-root>는 CodeQL CLI 패키지를 추출한 폴더입니다.
  • codeql처럼 실행 파일을 실행할 수 있도록 PATH<extraction-root>/codeql를 추가합니다.

이제 CodeQL 명령을 실행할 수 있습니다. CodeQL CLI 명령의 전체 목록은 CodeQL CLI commands manual을(를) 참조하세요.

6. Verify your CodeQL CLI setup

CodeQL CLI has subcommands you can execute to verify that you are correctly set up to create and analyze databases:

  • Run codeql resolve languages to show which languages are available for database creation. This will list the languages supported by default in your CodeQL CLI package.
  • Run codeql resolve qlpacks to show which CodeQL packs the CLI can find. This will display the names of all the CodeQL packs directly available to the CodeQL CLI. This should include:
  • Query packs for each supported language, for example, codeql/{language}-queries. These packs contain the standard queries that will be run for each analysis.
  • Library packs for each supported language, for example, codeql/{language}-all. These packs contain query libraries, such as control flow and data flow libraries, that may be useful to query writers.
  • Example packs for each supported language, for example, codeql/{language}-examples. These packs contain useful snippets of CodeQL that query writers may find useful.
  • Legacy packs that ensure custom queries and libraries created using older products are compatible with your version of CodeQL.

Using two versions of the CodeQL CLI

If you want to use the latest CodeQL features to execute queries or CodeQL tests, but also want to prepare databases that are compatible with a specific version of CodeQL code scanning on GitHub Enterprise Server, you may need to install two versions of the CLI. You can download the versions of the CodeQL CLI that you want, and unpack both CLI archives in the same parent directory.

Downloading databases from GitHub.com

GitHub stores CodeQL databases for over 200,000 repositories on GitHub.com, which you can download using the REST API. The list of repositories is constantly growing and evolving to make sure that it includes the most interesting codebases for security research.

You can also analyze databases from GitHub.com using the CodeQL for VS Code extension. For more information, see Running CodeQL queries.

You can check if a repository has any CodeQL databases available for download using the /repos/<owner>/<repo>/code-scanning/codeql/databases endpoint. For example, to check for CodeQL databases using the GitHub CLI you would run:

gh api /repos/<owner>/<repo>/code-scanning/codeql/databases

This command returns information about any CodeQL databases that are available for a repository, including the language the database represents, and when the database was last updated. If no CodeQL databases are available, the response is empty.

When you have confirmed that a CodeQL database exists for the language you are interested in, you can download it using the following command:

gh api /repos/<owner>/<repo>/code-scanning/codeql/databases/<language> -H 'Accept: application/zip' > path/to/local/database.zip

For more information, see the documentation for the Get CodeQL database endpoint.

Before running an analysis with the CodeQL CLI, you must unzip the databases.