Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub. For information, see "About code scanning."
You can run CodeQL code scanning within GitHub using actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to GitHub.
You add the CodeQL CLI or the CodeQL runner to your third-party system, then call the tool to analyze code and upload the SARIF results to GitHub. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.
Note: Uploading SARIF data to display as code scanning results in GitHub is supported for organization-owned repositories with GitHub Advanced Security enabled, and public repositories on GitHub.com. For more information, see "Managing security and analysis settings for your repository."
The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.
The CodeQL runner is a command-line tool that uses the CodeQL CLI to analyze code and upload the results to GitHub. The tool mimics the analysis run natively within GitHub using actions. The runner is able to integrate with more complex build environments than the CLI, but this ability makes it more difficult and error-prone to set up. It is also more difficult to debug any problems. Generally, it is better to use the CodeQL CLI directly unless it doesn't support your use case.
Use the CodeQL CLI to analyze:
- Codebases with a compiled language that can be built with a single command or by running a single script.
For more information, see "Running CodeQL CLI in your CI system."
If you need to set up the CI system to orchestrate compiler invocations as well as running CodeQL analysis, you must use the CodeQL runner.
For more information, see "Running CodeQL runner in your CI system."