🔍 Supercharge Your Code Security with CodeQL
Seamlessly integrate GitHub's powerful CodeQL scanning engine directly into your VS Code workflow. Detect vulnerabilities, find security flaws, and improve code quality without leaving your editor.
[!NOTE]
This is not an offical GitHub project
✨ Key Features
- 🛡️ Instant Security Analysis: Scan your code for vulnerabilities directly from VSCode
- 🔄 Real-Time Feedback: Get immediate security insights as you code
- 📊 Rich Result Visualization: View detailed vulnerability reports with syntax highlighting and data flow paths
- 🌊 Data Flow Analysis: Trace security issues from source to sink with intuitive navigation
- 🔄 GitHub Integration: Connect to GitHub for enhanced scanning capabilities and team collaboration
- ⚙️ Flexible Configuration: Choose between local and remote scanning options to suit your workflow
- 🧰 Multi-Language Support: Analyze JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Ruby, Swift, Kotlin, and others code
- 📜 Custom Extractors: Supports custom CodeQL extractors
🚀 Getting Started
- Install the extension from the VS Code Marketplace
- Configure your GitHub token (optional for enhanced features)
- Open any code repository
- Run a scan using the command palette (
Ctrl+Shift+P
or Cmd+Shift+P
): CodeQL: Run Scan
📸 Showcase
Here are some screenshots showcasing the extension's capabilities:
CodeQL Scanner Scan and Alert Summary
CodeQL Scanner Configuration Menu / Settings
CodeQL Scanner Results Tree Viewer
📋 Prerequisites
CodeQL CLI: The extension requires the CodeQL CLI to be installed and available on your system PATH
- Download the latest release for your platform from the CodeQL CLI releases page
- Extract the archive and add the
codeql
binary to your system PATH
- Verify installation by running
codeql --version
in your terminal
GitHub Personal Access Token: For GitHub integration features, a GitHub token with appropriate permissions is required
📋 Available Commands
Command |
Description |
CodeQL: Run Scan |
Start a security scan on the current workspace |
CodeQL: Initialize Repository |
Set up CodeQL for the current repository |
CodeQL: Run Analysis |
Execute a full code analysis |
CodeQL: Configure Settings |
Open the extension settings |
CodeQL: Show Logs |
View the extension's log output |
CodeQL: Clear Logs |
Clear all log entries |
CodeQL: Clear Inline Diagnostics |
Remove inline problem markers |
CodeQL: Show CLI Information |
Display information about the CodeQL CLI |
CodeQL: Copy Flow Path |
Copy vulnerability data flow path to clipboard |
CodeQL: Navigate Flow Steps |
Step through vulnerability data flow paths |
⚙️ Configuration Options
The extension provides several configuration options to customize its behavior:
{
"codeql-scanner.github.token": "your-github-token"
}
💡 Why CodeQL Scanner?
CodeQL is GitHub's semantic code analysis engine that lets you query code as if it were data. This extension brings that power directly into VS Code, allowing you to:
- Detect potential security vulnerabilities early in development
- Understand complex security issues with clear data flow visualization
- Integrate advanced security scanning into your daily coding workflow
- Improve code quality with actionable insights
🔗 Integration with GitHub
Connect the extension to GitHub for enhanced capabilities:
- Access GitHub's vast CodeQL query library
- Synchronize with your GitHub repositories
- View and manage GitHub code scanning alerts
🛠️ Development
Want to contribute? Great! You can:
- Clone the repository:
git clone https://github.com/geekmasher/codeql-scanner-vscode.git
- Install dependencies:
npm install
- Build the extension:
npm run compile
- Run tests:
npm run test
📜 License
This project is licensed under the terms specified in the LICENSE file.
🙏 Acknowledgements
- Built on GitHub's powerful CodeQL engine
- Inspired by the need for accessible security tools for all developers
Happy Secure Coding! 🔒✨