Skip to main content

VS Code 用 CodeQL について

CodeQL 拡張機能を使用して、Visual Studio Code 内の CodeQL クエリを書き込み、実行、テストできます。

About CodeQL for Visual Studio Code

You can run CodeQL queries on databases generated from source code, in order to find errors and security vulnerabilities in a codebase. For more information about CodeQL code scanning, see "About code scanning with CodeQL."

With the CodeQL for Visual Studio Code extension, you can:

  • Write custom CodeQL queries and supporting libraries.
  • Directly view and use the CodeQL security queries from the large, open-source github/codeql repository.
  • Run queries over one or more CodeQL databases.
  • Track the flow of data through a program, highlighting areas that are potential security vulnerabilities.
  • View, create, and edit all types of CodeQL packs of queries or libraries that you can use or publish to share with others.
  • Run unit tests for CodeQL queries.
  • Use a dedicated editor for viewing, creating, and editing CodeQL model packs, which are used to extend standard CodeQL analysis.

The CodeQL for Visual Studio Code extension also adds a CodeQL sidebar view to VS Code. This contains a list of local CodeQL databases, an overview of the queries that you have run in the current session, and a variant analysis view for large-scale analysis.

IntelliSense

The extension provides standard IntelliSense features for query files (extension .ql) and library files (extension .qll) that you open in the VS Code editor. These include:

  • Syntax highlighting
  • Right-click options (such as Go To Definition)
  • Autocomplete suggestions
  • Hover information

For more information about Intellisense in VS Code, see IntelliSense in the Visual Studio Code documentation.

You can also use the VS Code Format Document command to format your code according to the CodeQL style guide.

The VS Code Command Palette

You can run commands for the CodeQL for Visual Studio Code extension from the VS Code Command Palette. For more information about the VS Code Command Palette, see "User Interface" in the VS Code documentation.

Data and telemetry

If you specifically opt in to permit GitHub to do so, GitHub will collect usage data and metrics for the purposes of helping the core developers to improve the CodeQL for Visual Studio Code extension. For more information, see "Telemetry in CodeQL for Visual Studio Code."

About the GitHub CodeQL license

License notice: If you don’t have a GitHub Enterprise license then, by installing this product, you are agreeing to the GitHub CodeQL Terms and Conditions.

GitHub CodeQL is licensed on a per-user basis. Under the license restrictions, you can use CodeQL to perform the following tasks:

  • To perform academic research.
  • To demonstrate the software.
  • To test CodeQL queries that are released under an OSI-approved License to confirm that new versions of those queries continue to find the right vulnerabilities.

Where "OSI-approved License" means an Open Source Initiative (OSI)-approved open source software license.

If you are working with an Open Source Codebase (that is, a codebase that is released under an OSI-approved License) you can also use CodeQL for the following tasks:

  • To perform analysis of the Open Source Codebase.
  • If the Open Source Codebase is hosted and maintained on GitHub.com, to generate CodeQL databases for or during automated analysis, continuous integration, or continuous delivery.

CodeQL can’t be used for automated analysis, continuous integration or continuous delivery, whether as part of normal software engineering processes or otherwise, except in the express cases set forth herein unless you have a license for GitHub Advanced Security.

Next steps

To learn about how to install the CodeQL for Visual Studio Code extension, see "Installing CodeQL for Visual Studio Code."