CodeQL Information

Hello Team,

I am trying to use Codeql analysis and need information on few things

  1. Can I use codeql in bitbucket or any other git repository hosting service?
  2. Difference between codeql runner and codeql CLI?


  1. Can I use codeql in bitbucket or any other git repository hosting service?

Please review the CodeQL license for the specific places you can run CodeQL for free. CodeQL License - OSS version - GitHub Security Lab If you’re looking to analyze your private repository code, then please contact the GitHub sales team for more information. Contact us - GitHub Enterprise

  1. Difference between codeql runner and codeql CLI?

The CodeQL runner is a wrapper around the CodeQL CLI. It’s designed to be used for simple integration into a CI/CD system, whereas the CodeQL CLI is designed for interactive analysis and query development purposes.

I have a similar issue: I want to use CodeQL and I’m working in a commercial setup that prevents me from uploading code to github. I tried contacting the github sales team, but was only offered solutions using github enterprise advanced security, although I clearly stated that I cannot upload any code to github and that I’m not interested in anything else but CodeQL licensing. I queried again and asked to make a license available, but my sales contact is unresponsive and refuses to escalate this matter internally or to connect me to the CodeQL team. To find a solution.
Maybe someone here can help me:

  1. I want to use CodeQL to analyze code as part of security analyses/reviews
  2. I do not own the code, but I am contracted to analyze and have the code owners permissions to do so.
  3. I cannot upload this code to github or any other online storage.
  4. I want to use CodeQL to define security queries. Thus I need a license allowing me to use the CLI for DB creation and then use CodeQL in VSCode for queries. Nothing more and nothing less, I only want to evaluate and use CodeQL technology.
  5. This is not private but commercial use, thus I need a commercial license. So far the githib sales team refuses to offer one that does not enforce uploading and hosting via github enterprise. This is not possible with sensitive code and in my setup.

Can anyone name a contact that is able to help? I really don’t want to violate license terms, so this lack of availability of a license option is currently a blocker.

Hi @mkacymo, thanks for your interest in CodeQL. I’m working as a CodeQL developer. While I don’t have the knowledge to answer your question directly, I’ll try to find the right people that can :blush:

PS. In the future, it would be better to open a new support topic instead of re-using a slightly related old one :wink:

Hello @mkacymo , I’d be happy to help you with your request.

my direct email is ########at github dot com , if you can drop me an email, I’ll talk you through how we can support your requirements.

Kind Regards,

Hi @rasmusWL, thanks for connecting me to Niroshan. He’s now supporting me.
Nevertheless there is still one big issue, where you could support:
For some reason the sales representatives seem to consider CodeQL can only be used in combination with github hosting. Is there a misconception on my or their side? You could support here by clarifying if there is any technical obstacle in using CodeQL in a 100% offline setup (isolated lab), where the code never leaves the controlled local infrastructure. To my understanding there is nothing preventing this, but the lack of license availability for this use case in a commercial setup. Did I miss any technical obstacles?

Hi @mkacymo. On a technical level, CodeQL (CLI, VS Code extension, and such) can be used in a 100% offline setup.

1 Like