The latest release of the CodeQL CLI supports creating CodeQL databases for multiple languages in a single command. This makes it easier for customers using CI/CD systems other than GitHub Actions to run code scanning analysis. Previously, these users had to use the separate CodeQL Runner. The Runner will continue to be available, but the recommended way to handle multiple languages in your codebase is to use the CodeQL CLI directly.
To use this new option:
- Download the updated CodeQL bundle, which includes the updated CodeQL CLI.
- Check out your codebase at the Git reference you want to analyze.
- Create CodeQL databases for the supported languages in your codebase using
codeql database create
. You need to specify a parent directory for the databases using the--db-cluster
option, and the-l
option for each language you want to create a database for.
After creating the databases, you must run codeql database analyze
separately for each language. Use the --sarif-category
option, setting different values for each language. Specifying this option lets code scanning know that each SARIF file it receives from these analyses should be retained. Similarly, you must also run codeql github upload-results
separately for the SARIF file generated by each analysis.
For more information about setting up the CodeQL CLI with your CI system, see "Running CodeQL CLI in your CI system."
The new codeql database create
option for creating databases for multiple languages in a single command is available in CodeQL 2.5.6 and later. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.