Setting up the CodeQL CLI

To get started with the CodeQL CLI, you need to download and set up the CLI so that it can access the tools and libraries required to create and analyze databases.

누가 이 기능을 사용할 수 있나요?

CodeQL은(는) 다음 리포지토리 유형에 사용할 수 있습니다.

이 문서의 내용

Setting up the CodeQL CLI

To run CodeQL commands, you need to set up the CLI so that it can access the tools, queries, and libraries required to create and analyze databases.

The CodeQL CLI can be set up to support many different use cases and directory structures. To get started quickly, we recommend adopting a relatively simple setup, as outlined in the steps below.

If you plan to use the CodeQL CLI for security research or to test or contribute queries, you may want a more advanced setup of CodeQL CLI. For more information, see Advanced setup of the CodeQL CLI.

If you are setting up the CodeQL CLI in your CI system, you need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL code scanning analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from GitHub, ensuring that you benefit from the latest improvements to queries. For more information, see 릴리스 및 릴리스 자산에 대한 REST API 엔드포인트 in the REST API documentation.

If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the Xcode command-line developer tools and Rosetta 2 are installed.

참고 항목

The CodeQL CLI is currently not compatible with non-glibc Linux distributions such as (muslc-based) Alpine Linux.

1. Download the CodeQL CLI tar archive

CodeQL CLI 다운로드 패키지는 도구, 스크립트 및 다양한 CodeQL 관련 파일을 포함하는 tar 보관 파일입니다. GitHub Enterprise 라이선스가 없는 경우, 이 보관 파일을 다운로드하면 GitHub CodeQL 이용 약관에 동의하는 것으로 간주됩니다.

https://github.com/github/codeql-action/releases에서 CodeQL 번들을 다운로드해야 합니다. 번들에는 다음이 포함됩니다.

항상 CodeQL 번들을 사용해야 합니다. 이 번들은 호환성을 보장하고 CodeQL CLI 쿼리를 별도로 다운로드하고 CodeQL 쿼리를 체크 아웃하는 것보다 훨씬 나은 성능을 제공합니다. 하나의 특정 플랫폼에서만 CLI를 실행하는 경우 적절한 codeql-bundle-PLATFORM.tar.zst 파일을 다운로드합니다. 또는 지원되는 모든 플랫폼에 해당하는 CLI가 포함된 codeql-bundle.tar.zst를 다운로드할 수 있습니다.

번들의 tar.gz 변형도 있으며, 효율성이 떨어지는 gzip 알고리즘을 사용하여 압축된다는 점을 제외하고는 tar.zst 변형과 동일합니다. tar.gz 변형을 다운로드하는 유일한 이유는 표준 압축 알고리즘을 지원하지 않는 이전 압축 해제 도구를 사용하는 경우입니다.

2. Extract the CodeQL CLI tar archive

Extract the CodeQL CLI tar archive to a directory of your choosing.

3. Launch codeql

추출한 후에는 codeql 실행 파일을 몇 가지 방법으로 실행하여 CodeQL 프로세스를 실행할 수 있습니다.

  • <extraction-root>/codeql/codeql을(를) 실행합니다. 여기서 <extraction-root>는 CodeQL CLI 패키지를 추출한 폴더입니다.
  • codeql처럼 실행 파일을 실행할 수 있도록 PATH<extraction-root>/codeql를 추가합니다.

이제 CodeQL 명령을 실행할 수 있습니다. CodeQL CLI 명령의 전체 목록은 CodeQL CLI commands manual을(를) 참조하세요.

참고 항목

If you add codeql to your PATH, it can be accessed by CodeQL for Visual Studio Code to compile and run queries. For more information about configuring VS Code to access the CodeQL CLI, see Configuring access to the CodeQL CLI.

Testing the CodeQL CLI configuration

After you extract the CodeQL CLI bundle, you can run the following command to verify that the CLI is correctly configured to create and analyze databases:

  • codeql resolve packs if /<extraction root>/codeql is on the PATH.
  • /<extraction root>/codeql/codeql resolve packs otherwise.

If successful, you should see output similar to the extract below:

Searching directories specified by `--additional-packs`. All directories have equal priority.
  Searching in:
    No packs were found at this location.
Searching directories specified by `--search-path`. Directories are searched in order.
Searching the root of the CodeQL distribution.
  Searching in:
      <extraction root>
    The following packs were found:
      codeql/java-all@<version>: (library) <extraction root>/qlpacks/codeql/javat-all/<version>/qlpack.yml
      codeql/java-queries@<version>: (query) <extraction root>/qlpacks/codeql/java-queries/<version>/qlpack.yml
      codeql/javascript-all@<version>: (library) <extraction root>/qlpacks/codeql/javascript-all/<version>/qlpack.yml
      codeql/javascript-queries@<version>: (query) <extraction root>/qlpacks/codeql/javascript-queries/<version>/qlpack.yml
      codeql/swift-all@<version>: (library) <extraction root>/qlpacks/codeql/swift-all/<version>/qlpack.yml
      codeql/swift-queries@<version>: (query) <extraction root>/qlpacks/codeql/swift-queries/<version>/qlpack.yml
...

The results have been truncated for brevity. The actual results will be longer and more detailed.

You should check that the output contains the expected languages and also that the directory location for the qlpack files is correct. The location should be within the extracted CodeQL CLI bundle, shown in the earlier example as <extraction root>. If the CodeQL CLI is unable to locate the qlpacks for the expected languages, check that you downloaded the CodeQL bundle and not a standalone copy of the CodeQL CLI.

You can also run codeql resolve languages to show which languages are available for database creation. This will list the languages supported by default in your CodeQL CLI package.

Optionally, you can download some CodeQL packs containing pre-compiled queries you would like to run. For more information, see Customizing analysis with CodeQL packs.

The codeql resolve packs command is useful for diagnosing problems when the CodeQL CLI is unable to locate query packs that you expect to be available for analysis.

참고 항목

The codeql resolve packs command is available in the CodeQL CLI versions 2.19.0 and later. For earlier versions of the CLI, you should run the codeql resolve qlpacks command, which produces similar, but less detailed output.

Next steps

To learn how to prepare your code to be analyzed by the CodeQL CLI, see Preparing your code for CodeQL analysis.