CodeQL Static Analysis

When to Use CodeQL

Ideal scenarios:

• Source code access with ability to build (for compiled languages)
• Open-source projects or GitHub Advanced Security license
• Need for interprocedural data flow and taint tracking
• Finding complex vulnerabilities requiring AST/CFG analysis
• Comprehensive security audits where analysis time is not critical

Consider Semgrep instead when:

• No build capability for compiled languages
• Licensing constraints
• Need fast, lightweight pattern matching
• Simple, single-file analysis is sufficient

Why Interprocedural Analysis Matters