When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):

Install the CLI: Needed to run CodeQL commands.

Analyze code: Perform the CodeQL analysis on your project with the CLI.

Upload scan results: Export the results in SARIF format and use GitHub’s API to upload them to your repo’s security tab.

You don’t need to write custom queries unless extending functionality. “Processing alerts” happens after GitHub receives the results.

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project’s transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a “Report a vulnerability” button in the repository’s Security tab.

By default, no repositories receive Dependabot alerts unless configuration is explicitly enabled. GitHub does not enable Dependabot alerts automatically for any repositories unless:

The feature is turned on manually

It's configured at the organization or enterprise level via security policies

This includes public, private, and enterprise-owned repositories — manual activation is required.

In a query suite (a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.

Example:

- query: path/to/query.ql

qls is the file format.

qlpack is used for packaging queries, not in suite syntax.

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

To ensure you're notified whenever a vulnerability is detected via Dependabot, you must enable alerts for Dependabot in your personal notification settings. This applies to both new and existing repositories. It ensures you get timely alerts about security vulnerabilities.

The dependency graph must be enabled for scanning, but does not send alerts itself.

For compiled languages, CodeQL performs extraction by monitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.

This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.