CodeQL Code Scanning: improvements for users analyzing codebases on 3rd party CI/CD systems

The latest release of the CodeQL CLI supports uploading analysis results to GitHub. This makes it easier to run code analysis for customers who wish to use CI/CD systems other than GitHub Actions. Previously, such users had to use the separate CodeQL Runner, which will continue to be available.

To get started, first download the updated CodeQL bundle, which includes the updated CodeQL CLI, and check out your codebase at the Git reference you want to analyze. After analyzing your codebase with codeql database create ... and codeql database analyze ..., you can use the new codeql github upload-results command to upload the SARIF file with scanning results back to GitHub Code Scanning.

codeql github upload-results currently works for one language at a time and can replace the current workflow of codeql-runner init / build / codeql-runner analyze when a single language is being analyzed.

If you want to analyze more than one language at a time or integrate CodeQL as a separate step into your existing CI workflow, you may use CodeQL runner.

The new codeql github upload-results command is available starting version 2.4.5 of the CodeQL CLI. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

GitHub Advanced Security customers can now view their active committer count and the remaining number of unused committer seats on their organization or enterprise account’s Billing page. If Advanced Security is purchased for an enterprise, administrators can also view the active committer seats which are being used by other organizations within their enterprise.

Screenshot of Advanced Security committer counts in the Billing page

If the active committer count exceeds the number of purchased committer licences, Repository Admins will no longer be able to enable Advanced Security for additional repositories and will need to purchase new Advanced Security seats or disable Advanced Security elsewhere before being allowed to proceed.

If Advanced Security is purchased for an enterprise, Enterprise Administrators can now ensure a gradual roll-out of GitHub Advanced Security by setting which organizations can enable Advanced Security (on the Settings page). Enterprise Administrators can choose to allow repositories for all organizations, specific organizations, or no organizations to enable Advanced Security.

Screenshot of Advanced Security policy settings in the Billing page

If Advanced Security is disabled for an organization or repository, admin users will not be able to enable Advanced Security and will be informed that this is because of a policy setting for the organization.

Screenshot of Advanced Security disbaled due to a policy setting

These changes help billing administrators track their usage of Advanced Security against how many committer licences have been purchased, and enable Enterprise Administrators to manage and control the use of Advanced Security across organizations and repositories.

For more information please see documentation about GitHub Advanced Security licensing and viewing your GitHub Advanced Security usage.

This functionality is now available to GitHub Enterprise Cloud customers, and will also be part of GitHub Enterprise Server 3.1 (which is due to be released in Q2).

See more

CodeQL now supports more libraries and frameworks for a variety of languages (C++, JavaScript, Python,Java, Go). The CodeQL engine can now detect more sources of untrusted user data, which improves the quality and depth of the code scanning alerts. The libraries and frameworks that have been added and improved are listed below.

C/C++

JavaScript and TypeScript

Python

Java

Go

Support for these libraries and frameworks has been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.1, which is due to be released in Q2.
Learn more about CodeQL and code scanning.

See more