CodeQL is GitHub's semantic code analysis engine that treats code as a queryable database. Its March 2026 AI-powered detections expand coverage beyond traditionally supported languages, and Copilot Autofix generates fixes for findings — closing alerts in 0.66 hours on average versus 1.29 hours without.
Why It's in Adopt
If your team is on GitHub (most are), CodeQL is the obvious first SAST tool. Three reasons:
- Zero-friction deployment. Enable it in repository settings; no agents to install, no CI config to maintain. For open-source repos, it's free.
- Semantic analysis catches what pattern-matchers miss. CodeQL builds a relational database from your code's AST, then queries data flow and control flow paths. A tainted input flowing through three function calls to a SQL query? CodeQL traces that. Semgrep (pattern-based) would need you to write a rule for each intermediate step.
- The Copilot feedback loop is genuinely useful. When Copilot's coding agent writes code, CodeQL scans it automatically and Copilot Autofix proposes patches — before the PR is opened. This is the closest thing to "shift-left" that actually works in practice, because it catches issues when the context is fresh (GitHub blog, "Copilot Autofix").
The AI Hybrid Approach: Promise and Caveats
The March 2026 AI-powered detections extend coverage to Shell/Bash, Dockerfiles, Terraform, and PHP using a hybrid model: CodeQL provides semantic analysis for supported languages, and an AI model fills gaps where CodeQL doesn't have a full language frontend.
What this actually means: For the core languages (Java, JavaScript, Python, C/C++, C#, Go, Ruby, Swift, Kotlin), you get deterministic, reproducible analysis. For the AI-covered languages, you get probabilistic detection — likely higher false-positive rates and non-reproducible results across runs. GitHub hasn't published precision/recall numbers for the AI detections yet, so treat them as supplementary, not primary.
Compare this to Semgrep's approach: Semgrep added AI-powered "Assistant" rules that suggest custom rules based on your codebase. Different philosophy — Semgrep uses AI to help you write better rules; CodeQL uses AI to extend its own coverage. Neither has proven the AI layer is as reliable as the deterministic one.
Strengths
- Deep semantic analysis (data flow, control flow, type relationships) — not just pattern matching
- Tight GitHub ecosystem integration (PR scanning, Dependabot, Copilot Autofix)
- Free for all public repositories
- Incremental analysis (Sept 2025) makes scans 5–40% faster
- Extensible query language for custom vulnerability detection — if you invest in learning it
- Copilot Autofix handled 460,000+ security alerts in 2025 with 80%+ positive developer feedback
Limitations
- GitHub lock-in. No integration outside the GitHub ecosystem. If you use GitLab or Bitbucket, CodeQL is not an option — look at Semgrep or SonarQube instead.
- GHAS cost for private repos is significant. $30/active committer/month adds up fast for large teams. A 50-person team pays $18K/year just for code scanning — Semgrep's free tier covers most of that.
- Query authoring learning curve. Writing custom CodeQL queries requires learning a Datalog-inspired QL language. Semgrep's pattern syntax (
$X.execute($QUERY)) is dramatically easier for one-off rules. - AI detections are not GA. The hybrid model is in preview. Don't rely on it for compliance-critical scanning of Shell/Dockerfile/Terraform yet.
When NOT to Use CodeQL
- Non-GitHub repos. It literally doesn't work outside GitHub.
- Small teams on a budget. If you're a 5-person startup with private repos, Semgrep's free tier gives you 90% of the value at $0.
- You need fast custom rules. If your security team needs to ship a new detection rule in hours (e.g., responding to a zero-day), Semgrep's pattern syntax is far faster to iterate on than CodeQL's QL.
Pricing
- Public repos: Free on all GitHub plans
- Private repos: Requires GitHub Advanced Security — Code Security at $30/active committer/month, or included in GitHub Enterprise ($21/user/month)