Introducing the CodeQL package manager (public beta)

The CodeQL package manager is now available in public beta on GitHub.com. CodeQL packages can contain CodeQL queries and CodeQL libraries — and of course you can express dependencies between packs. You can upload your packs to the package registry on GitHub.com, and CodeQL will automatically fetch any required dependencies when running queries from a pack. This makes it simple to create and share CodeQL queries and libraries!

CodeQL packs of course also integrate with GitHub code scanning (example below). Alternatively, you can use packs using the CodeQL CLI (version 2.6.0-beta.1 and up) on your local machine. More documentation about CodeQL packs can be found here.

Integrating CodeQL packs into GitHub code scanning workflows

You can integrate CodeQL packs into GitHub code scanning workflows by specifying that you want to run the CodeQL 2.6.0 beta version, and then specify the pack(s) you'd like to run. For example:

 - uses: github/codeql-action/init@v1
   with:
     tools: https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.6.0-beta.1
     packs: codeql/csharp-queries1@~1.2.3, octo-org/csharp-security

Alternatively, you can select CodeQL packs by specifying a list of package references in the packs section of your CodeQL configuration file. For example:

     - queries/DeadCodeCondition.ql
     - queries/GlobalUseBeforeInit.qls
   packs:
     - codeql/csharp-queries@~1.2.3  # latest version compatible with 1.2.3
     - octo-org/csharp-security      # latest version 

For more information, see Configuring code scanning.

Standard CodeQL packs

All of our own CodeQL queries and libraries are now also released as CodeQL packs at github.com/codeql.

For each language there is a query pack containing all CodeQL queries for that language (from our open source repository). These packs are named codeql/<language>-queries. For example, the CodeQL pack containing the standard C/C++ queries is called codeql/cpp-queries.

We've also released packs with all CodeQL standard libraries for each language. These packs are named codeql/<language>-all (e.g. codeql/cpp-all). If you're writing your own query pack, you'll likely want to express a dependency on the CodeQL standard libraries for that language.

CodeQL pack visibility

You can choose the permission levels required for users to view and access your CodeQL packs. Currently, all CodeQL packs default to Internal and should manually be set to Public. If you want to make your CodeQL pack visible to everyone, go to the settings section of the package and Change package visibility to Public.

Downloading CodeQL packs

All CodeQL packs can be downloaded and installed using the CodeQL CLI. You do not need to use the docker pull command shown on the package page. For more information, see Publishing and using CodeQL packs.

For more information, see About CodeQL packs.

In June, we announced that security alert notifications are opt-in on a per-repository basis, using the repository's watch settings. Today, we have updated security alert digest emails to also respect these settings.

If you are no longer receiving digest emails for a repository and want to, please update your notification subscription settings on that repo to include Security Alerts.

See more