CodeQL for research

Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.

CodeQL is free for research and open source.

Try CodeQL on


from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf

where conf.hasFlowPath(source, sink)

select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink,
    "Unsafe deserialization of $@.", source.getNode(), "user input"

Meet CodeQL

Run real queries on popular open source codebases using the CodeQL query console on See how powerful it is to discover a bad pattern and then find similar occurrences across the entire codebase. In the example above, an unsafe deserialization pattern is coded using the built-in CodeQL libraries for data flow and taint tracking.

Screenshot of CodeQL VSCode extension
Screenshot of CodeQL VSCode extension

Write and run queries in
Visual Studio Code

Now that you’ve seen the power of the CodeQL language on, you're ready to write and run queries locally.

Install CodeQL for Visual Studio Code

By downloading, you agree to the GitHub CodeQL Terms & Conditions.

Once you've installed the extension:

Step 1: get a CodeQL database

Step 2: query the code and find vulnerabilities

See the documentation for more info.

$ # Clone the project
$ git clone

$ # Create a CodeQL database
$ codeql database create ./struts_db -s ./struts_9805 \
  -j 0 -l java --command "mvn -B -DskipTests \

Query open source codebases

You can create CodeQL databases yourself for any project that's under an OSI-approved open source license. To download CodeQL and get started, visit the CodeQL CLI docs.

CodeQL Capture the Flag

Challenge your vulnerability hunting skills and get a quick lesson on using the CodeQL libraries with our Capture the Flag event. Enter before December 13 for a chance to win cool prizes by finding XSS-unsafe JQuery plugins in Bootstrap.

Take a look at the previous challenges.

Go Capture the Flag

GitHub CodeQL can only be used on codebases that are released under an OSI-approved open source license, or to perform academic research. It can't be used for automated analysis, continuous integration or continuous delivery, whether as part of normal software engineering processes or otherwise. For these uses, contact the sales team.