Seamlessly integrate GitHub's powerful CodeQL scanning engine directly into your VS Code workflow. Detect vulnerabilities, find security flaws, and improve code quality without leaving your editor.
- 🛡️ Instant Security Analysis: Scan your code for vulnerabilities directly from VSCode
- 🔄 Real-Time Feedback: Get immediate security insights as you code
- 📊 Rich Result Visualization: View detailed vulnerability reports with syntax highlighting and data flow paths
- 🌊 Data Flow Analysis: Trace security issues from source to sink with intuitive navigation
- 🔄 GitHub Integration: Connect to GitHub for enhanced scanning capabilities and team collaboration
- ⚙️ Flexible Configuration: Choose between local and remote scanning options to suit your workflow
- 🧰 Multi-Language Support: Analyze JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Ruby, Swift, Kotlin, and others code
- 📜 Custom Extractors: Supports custom CodeQL extractors
- Install the extension from the VS Code Marketplace
- Configure your GitHub token (optional for enhanced features)
- Open any code repository
- Run a scan using the command palette (
Ctrl+Shift+PorCmd+Shift+P):CodeQL: Run Scan
Here are some screenshots showcasing the extension's capabilities:
CodeQL Scanner Scan and Alert Summary
CodeQL Scanner Configuration Menu / Settings
CodeQL Scanner Results Tree Viewer
-
CodeQL CLI: The extension requires the CodeQL CLI to be installed and available on your system PATH
- Download the latest release for your platform from the CodeQL CLI releases page
- Extract the archive and add the
codeqlbinary to your system PATH - Verify installation by running
codeql --versionin your terminal
-
GitHub Personal Access Token: For GitHub integration features, a GitHub token with appropriate permissions is required
- Create a token at GitHub Settings > Developer settings > Personal access tokens
- Required permissions:
repo,read:org(for organization repositories),security_events(for security alerts) - Store the token securely in your extension settings
| Command | Description |
|---|---|
CodeQL: Run Scan |
Start a security scan on the current workspace |
CodeQL: Initialize Repository |
Set up CodeQL for the current repository |
CodeQL: Run Analysis |
Execute a full code analysis |
CodeQL: Configure Settings |
Open the extension settings |
CodeQL: Show Logs |
View the extension's log output |
CodeQL: Clear Logs |
Clear all log entries |
CodeQL: Clear Inline Diagnostics |
Remove inline problem markers |
CodeQL: Show CLI Information |
Display information about the CodeQL CLI |
CodeQL: Copy Flow Path |
Copy vulnerability data flow path to clipboard |
CodeQL: Navigate Flow Steps |
Step through vulnerability data flow paths |
The extension provides several configuration options to customize its behavior:
{
"codeql-scanner.github.token": "your-github-token"
}CodeQL is GitHub's semantic code analysis engine that lets you query code as if it were data. This extension brings that power directly into VS Code, allowing you to:
- Detect potential security vulnerabilities early in development
- Understand complex security issues with clear data flow visualization
- Integrate advanced security scanning into your daily coding workflow
- Improve code quality with actionable insights
Connect the extension to GitHub for enhanced capabilities:
- Access GitHub's vast CodeQL query library
- Synchronize with your GitHub repositories
- View and manage GitHub code scanning alerts
Want to contribute? Great! You can:
- Clone the repository:
git clone https://github.com/geekmasher/codeql-scanner-vscode.git - Install dependencies:
npm install - Build the extension:
npm run compile - Run tests:
npm run test
This project is licensed under the terms specified in the LICENSE file.
- Built on GitHub's powerful CodeQL engine
- Inspired by the need for accessible security tools for all developers
Happy Secure Coding! 🔒✨