- open-source query packs and tooling exist
- usable on open-source codebases
- important caveat: GitHub-hosted scanning for private repositories is not universally free and may require GitHub Advanced Security
For GitHub Actions, use the official action:
github/codeql-action/initgithub/codeql-action/analyze
For CLI and query work on open-source codebases, use the CodeQL bundle and CLI from the official CodeQL docs and releases.
Before proposing install steps, check whether the repo already has CodeQL configured:
rg -n "codeql-action|security-events|CodeQL" .github/workflows
command -v codeqlTypical GitHub Actions flow:
- initialize CodeQL
- build the .NET project in
manualorautobuildmode - analyze and upload results
- strong fit for security scanning
- best used with explicit build mode for compiled .NET repos
- document the private-repo licensing caveat before standardizing on it
- when the team requires a tool that is unambiguously open/free for private repos without platform caveats