CodeQL Agent CLI is a tool that automates the process of using CodeQL, a semantic code analysis engine, to execute code scanning. It makes the process of finding security vulnerabilities in code simple and efficient.
- Automated CodeQL from detect language, create database and scan.
- Scan remote target (e.g. GitHub repository) or local target (e.g. source code folder). Support scan list of target.
- Support running on Docker which prepackaged and precompiled CodeQL for running code scanning (under development).
- Send results to Discord webhook.
- For normal use, you need to install the CodeQL CLI.
- For Docker support, you need to install Docker and are not required to install CodeQL CLI.
Install CodeQL Agent CLI from npm:
npm install -g codeql-agent- Install CodeQL Agent CLI.
npm install -g codeql-agent- Scan your codebase.
codeql-agent scancodeql-agent -hor for more details about command:
codeql-agent scan -hThis will display help for the tool. Here are all the switches of scan command supports.
____ _ ___ _ _ _
/ ___|___ __| | ___ / _ \| | / \ __ _ ___ _ __ | |_
| | / _ \ / _` |/ _ \ | | | | / _ \ / _` |/ _ \ '_ \| __|
| |__| (_) | (_| | __/ |_| | |___ / ___ \ (_| | __/ | | | |_
\____\___/ \__,_|\___|\__\_\_____| /_/ \_\__, |\___|_| |_|\__|
|___/
Author: doublevkay - Version: 0.3.4
Usage: codeql-agent scan [options] <target>
scan a target. Target could be source code folder, remote repository (e.g. GitHub repository) or a list of target.
Arguments:
target source code folder, remote repository or list of target.
Examples:
codeql-agent scan src/sammple
codeql-agent scan targets.txt
codeql-agent scan https://github.com/OWASP/NodeGoat
Options:
-l, --language <language> language of source code. Supported languages: go, java, cpp, csharp, cpp, javascript, ruby. Omitting this option to auto-detect the
language.
-o, --output <output> output folder. Default: <target>-codeql-results
-c, --command <command> command to create database for compiled languages, omit if the only languages requested are Python and JavaScript. This specifies
the build commands needed to invoke the compiler. If you don't set this variable, CodeQL will attempt to detect the build system
automatically, using a built-in autobuilder
-t, --threads <number> number of threads to use. Pass 0 to use one threads per core on the machine. Default: 1 (default: 1)
--query <query> CodeQL query to run. Default: <language>-security-extended.qls
--format <format> output format. Default: sarif-latest (default: "sarif-latest")
--overwrite overwrite existing database.
--download download missing queries before analyzing.
--remove-remote-repository remove the remote repository after cloning.
--db-output <dbOutput> database folder path.
--remove-database remove the CodeQL database after scanning.
--create-db-only only create CodeQL database, do not scan.
--enable-file-logging enable file logging.
--discord-webhook <webhookUrl> discord web hook to send the result to.
--use-docker use docker to isolated run CodeQL.
-v, --verbose verbose output
-h, --help display help for commandIf you want to use CodeQL Agent on VSCode, you can install the CodeQL Agent extension from the VSCode Marketplace.
This tool is released by CodeQL Agent Project - a non-profit organization from community and are not the official team of CodeQL, under the MIT License. For the full text of this, please consult our LICENSE.md file.
Note that this license applies only to the tool in this repository, for more information on the license governing use of the CodeQL CLI that it uses, please consult the GitHub CodeQL Terms and Conditions. In particular, note that there are restrictions on how you may use the the CodeQL CLI on code that is not released under an OSI-approved open source software license.