Seamlessly integrate GitHub's powerful CodeQL scanning engine directly into your VS Code workflow. Detect vulnerabilities, find security flaws, and improve code quality without leaving your editor.
Note
This is not an offical GitHub project
- 🛡️ Instant Security Analysis: Scan your code for vulnerabilities directly from VSCode
- 🔄 Real-Time Feedback: Get immediate security insights as you code
- 📊 Rich Result Visualization: View detailed vulnerability reports with syntax highlighting and data flow paths
- 🌊 Data Flow Analysis: Trace security issues from source to sink with intuitive navigation
- 🔄 GitHub Integration: Connect to GitHub for enhanced scanning capabilities and team collaboration
- ⚙️ Flexible Configuration: Choose between local and remote scanning options to suit your workflow
- 🧰 Multi-Language Support: Analyze JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Ruby, Swift, Kotlin, and others code
- 📜 Custom Extractors: Supports custom CodeQL extractors
- Install the extension from the VS Code Marketplace
- Configure your GitHub token (optional for enhanced features)
- Open any code repository
- Run a scan using the command palette (
Ctrl+Shift+PorCmd+Shift+P):CodeQL: Run Scan
Here are some screenshots showcasing the extension's capabilities:
CodeQL Scanner Scan and Alert Summary
CodeQL Scanner Configuration Menu / Settings
CodeQL Scanner Results Tree Viewer
-
CodeQL CLI: The extension requires the CodeQL CLI to be installed and available on your system PATH
- Download the latest release for your platform from the CodeQL CLI releases page
- Extract the archive and add the
codeqlbinary to your system PATH - Verify installation by running
codeql --versionin your terminal
-
GitHub Personal Access Token: For GitHub integration features, a GitHub token with appropriate permissions is required
- Create a token at GitHub Settings > Developer settings > Personal access tokens
- Required permissions:
repo,read:org(for organization repositories),security_events(for security alerts) - Store the token securely in your extension settings
| Command | Description |
|---|---|
CodeQL: Run Scan |
Start a security scan on the current workspace |
CodeQL: Initialize Repository |
Set up CodeQL for the current repository |
CodeQL: Run Analysis |
Execute a full code analysis |
CodeQL: Configure Settings |
Open the extension settings |
CodeQL: Show Logs |
View the extension's log output |
CodeQL: Clear Logs |
Clear all log entries |
CodeQL: Clear Inline Diagnostics |
Remove inline problem markers |
CodeQL: Show CLI Information |
Display information about the CodeQL CLI |
CodeQL: Copy Flow Path |
Copy vulnerability data flow path to clipboard |
CodeQL: Navigate Flow Steps |
Step through vulnerability data flow paths |
The extension provides several configuration options to customize its behavior:
{
"codeql-scanner.github.token": "your-github-token"
}CodeQL is GitHub's semantic code analysis engine that lets you query code as if it were data. This extension brings that power directly into VS Code, allowing you to:
- Detect potential security vulnerabilities early in development
- Understand complex security issues with clear data flow visualization
- Integrate advanced security scanning into your daily coding workflow
- Improve code quality with actionable insights
Connect the extension to GitHub for enhanced capabilities:
- Access GitHub's vast CodeQL query library
- Synchronize with your GitHub repositories
- View and manage GitHub code scanning alerts
Want to contribute? Great! You can:
- Clone the repository:
git clone https://github.com/geekmasher/codeql-scanner-vscode.git - Install dependencies:
npm install - Build the extension:
npm run compile - Run tests:
npm run test
This project is licensed under the terms specified in the LICENSE file.
- Built on GitHub's powerful CodeQL engine
- Inspired by the need for accessible security tools for all developers
Happy Secure Coding! 🔒✨