CodeQL query packs

You can choose from different built-in CodeQL query suites to use in your CodeQL code scanning setup.

Who can use this feature?

CodeQL is available for the following repository types:

In this article

Note

This article describes the features available with the CodeQL CLI 2.20.7 bundle included in the initial release of GitHub Enterprise Server 3.17.

If your site administrator has updated your CodeQL CLI version to a newer release, please see the GitHub Enterprise Cloud version of this article for information on the latest features.

About CodeQL packs

CodeQL packs are used to create, share, depend on, and run CodeQL queries and libraries. CodeQL packs contain queries, library files, query suites, and metadata. You can customize your CodeQL analysis by downloading packs created by others and running them on your codebase.

The CodeQL CLI bundle includes queries that are maintained by GitHub experts, security researchers, and community contributors. If you want to run queries developed by other organizations, CodeQL query packs provide an efficient and reliable way to download and run queries, while model packs (public preview) can be used to expand code scanning analysis to recognize libraries and frameworks that are not supported by default.

Types of CodeQL packs

There are three types of CodeQL packs: query packs, library packs, and model packs.

  • Query packs contain a set of pre-compiled queries that can be evaluated on a CodeQL database. Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.

  • Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.

  • Model packs can be used to expand code scanning analysis to recognize libraries and frameworks that are not supported by default. Model packs are currently in public preview and subject to change. During the public preview, model packs are available for C/C++, C#, Java/Kotlin, Python, and Ruby analysis. For more information about creating your own model packs, see Creating and working with CodeQL packs.

Where to find query packs

The standard CodeQL packs for all supported languages are published in the Container registry. If you installed the CodeQL CLI in the standard way, using the CodeQL CLI bundle, the core query packs are already downloaded and available to you. They are:

  • codeql/cpp-queries
  • codeql/csharp-queries
  • codeql/go-queries
  • codeql/java-queries
  • codeql/javascript-queries
  • codeql/python-queries
  • codeql/ruby-queries
  • codeql/swift-queries

You can also use the CodeQL CLI to create your own CodeQL packs, add dependencies to packs, and install or update dependencies.

You can publish CodeQL packs that you have created, using the CodeQL CLI. For more information on publishing and downloading CodeQL packs, see Publishing and using CodeQL packs.