CodeQL Code Scanning

Github recently launched code scanning which is based off of an open source collection of CodeQL queries which analyze code to find security vulnerabilities. This is only available on their enterprise plan & public repositories via github actions. Swissknife tries to reduce this gap by offering the ability to run scans via CircleCI as well.


Once the report is reported is generated it can be viewed at


The Swissknife orb adds a job that can run scans against your codebase very easily. An example snippet that runs a scan against all detected (language detection works only on Github repos) once a day is seen with the example CircleCI workflow.

version: 2.1
swissknife: roopakv/swissknife@x.y // Grab the latest version from
- schedule:
cron: "0 10 * * *" # run at 10am UTC daily
- master
- swissknife/codeql-analysis:
name: "CodeQL Scan"

This command has a few options that allow you to customize certain things

custom-init-steps[]A set of custom CircleCI steps you can pass to the job. These steps are run after your code is checked out. This can be used to setup the environment etc
languagesautoIf auto, and the repository is on github this tries and gets languages present in repo from Github. If set to a comma separated list of languages only these are supported.
output-dir/home/circleci/analysisThe dir where the reports are stored
ram-limit1024The max RAM the analysis can used
report-to-swissknifetrueWhether the report can be sent to the Swissknife Service. Used to display easy to read reports. This requires the SWISSKNIFE_API_KEY variable to be set. [Report viewing coming soon]
resource-classmediumThe resource class to use for the image on CircleCI