View the languages, libraries, and frameworks supported in the latest version of CodeQL.
The current versions of the CodeQL CLI (changelog, releases), CodeQL library packs (source), and CodeQL bundle (releases) support the following languages and compilers.
C89, C99, C11, C17, C23, C++98, C++03, C++11, C++14, C++17, C++20, C++23 [1] [2] [3] |
Clang (including clang-cl [4] and armclang) extensions (up to Clang 21), GNU extensions (up to GCC 15), Microsoft extensions (up to VS 2022), Arm Compiler 5 [5] |
.cpp, .c++, .cxx, .hpp, .hh, .h++, .hxx, .c, .cc, .h |
C# up to 14 [6] |
Microsoft Visual Studio up to 2019 with .NET up to 4.8, .NET Core up to 3.1 .NET 5, .NET 6, .NET 7, .NET 8, .NET 9, .NET 10 [6] |
.sln, .slnx, .csproj, .cs, .cshtml, .xaml |
Not applicable |
Not applicable |
.github/workflows/*.yml, .github/workflows/*.yaml, **/action.yml, **/action.yaml |
Go up to 1.26 |
Go 1.11 or more recent |
.go |
Java 7 to 26 [7] |
javac (OpenJDK and Oracle JDK), Eclipse compiler for Java (ECJ) [8] |
.java |
Kotlin 1.8.0 to 2.3.2x |
kotlinc |
.kt |
ECMAScript 2022 or lower |
Not applicable |
.js, .jsx, .mjs, .es, .es6, .htm, .html, .xhtm, .xhtml, .vue, .hbs, .ejs, .njk, .json, .yaml, .yml, .raml, .xml [9] |
2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 |
Not applicable |
.py |
up to 3.3 |
Not applicable |
.rb, .erb, .gemspec, Gemfile |
Rust editions 2021 and 2024 |
Rust compiler |
.rs, Cargo.toml |
Swift 5.4-6.3 |
Swift compiler |
.swift |
2.6-5.9 |
Standard TypeScript compiler |
.ts, .tsx, .mts, .cts |
C++20 modules are not supported.
[2]C23 and C++23 support is currently in beta.
[3]Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
[4]Support for the clang-cl compiler is preliminary.
[5]Support for the Arm Compiler (armcc) is preliminary.
[6] (1,2)Support for .NET 10 is preliminary and code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
[7]Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; “preview” and “incubator” features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
[8]ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
[9]JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
[10]The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
[11]Requires glibc 2.17.
[12]Requires rustup and cargo to be installed. Features from nightly toolchains are not supported.
[13]Support for the analysis of Swift requires macOS.
[14]Embedded Swift is not supported.
[15]TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
The current versions of the CodeQL library and query packs (source) have been explicitly checked against the libraries and frameworks listed below.
Tip
If you’re interested in other libraries or frameworks, you can extend the analysis to cover them. For example, by extending the data flow libraries to include data sources and sinks for additional libraries or frameworks.
Provided by the current versions of the CodeQL query pack codeql/cpp-queries (changelog, source) and the CodeQL library pack codeql/cpp-all (changelog, source).
Network communicator |
|
Utility library |
|
string.h |
String library |
Provided by the current versions of the CodeQL query pack codeql/csharp-queries (changelog, source) and the CodeQL library pack codeql/csharp-all (changelog, source).
ASP.NET |
Web application framework |
ASP.NET Core |
Web application framework |
ASP.NET Razor templates |
Web application framework |
Dapper |
Database ORM |
EntityFramework |
Database ORM |
EntityFramework Core |
Database ORM |
Json.NET |
Serialization |
NHibernate |
Database ORM |
WinForms |
User interface |
Provided by the current versions of the CodeQL query pack codeql/actions-queries (changelog, source) and the CodeQL library pack codeql/actions-all (changelog, source).
Workflows |
|
Actions |
Provided by the current versions of the CodeQL query pack codeql/go-queries (changelog, source) and the CodeQL library pack codeql/go-all (changelog, source).
Serverless framework |
|
Web/logging/database framework |
|
Web framework |
|
Couchbase (gocb and go-couchbase) |
Database |
Web framework |
|
Web framework |
|
Logging library |
|
Database |
|
Web application framework |
|
Utility library |
|
Logging library |
|
Microservice toolkit |
|
XPath library |
|
Network communicator |
|
Network communicator |
|
HTTP proxy library |
|
HTTP request router and dispatcher |
|
Network communicator |
|
Database |
|
Network communicator |
|
XPath library |
|
XPath library |
|
Serialization |
|
Serialization |
|
XPath library |
|
Logging library |
|
Logging library |
|
Web framework |
|
Database |
|
Network communicator |
|
Serialization |
|
Web framework |
|
Email library |
|
Database |
|
Database |
|
Network communicator |
|
XPath library |
|
XPath library |
|
XPath library |
|
XPath library |
|
Serialization |
|
Logging library |
Provided by the current versions of the CodeQL query pack codeql/java-queries (changelog, source) and the CodeQL library pack codeql/java-all (changelog, source).
Apache Commons Collections |
Data structure utility library |
Apache Commons Lang |
Utility library |
Apache HTTP components |
Network communicator |
Guava |
Utility and collections library |
Hibernate |
Database |
iBatis / MyBatis |
Database |
Jackson |
Serialization |
Java Persistence API (JPA) |
Database |
JaxRS |
Jakarta EE API specification |
JDBC |
Database |
JSON-java |
Serialization |
Kryo deserialization |
Serialization |
Project Lombok |
Utility library |
Protobuf |
Serialization |
SnakeYaml |
Serialization |
Spring JDBC |
Database |
Spring MVC |
Web application framework |
Struts |
Web application framework |
Thrift |
RPC framework |
XStream |
Serialization |
Provided by the current versions of the CodeQL query pack codeql/javascript-queries (changelog, source) and the CodeQL library pack codeql/javascript-all (changelog, source).
angular (modern version) |
HTML framework |
angular.js (legacy version) |
HTML framework |
AWS Lambda |
Serverless framework |
axios |
Network communicator |
browser |
Runtime environment |
EJS |
templating language |
electron |
Runtime environment |
express |
Server |
Fastify |
Server |
handlebars |
templating language |
hapi |
Server |
hogan |
templating language |
jquery |
Utility library |
koa |
Server |
lodash |
Utility library |
mongodb |
Database |
mssql |
Database |
mustache |
templating language |
mysql |
Database |
nest.js |
Server |
node |
Runtime environment |
nunjucks |
templating language |
postgres |
Database |
ramda |
Utility library |
react |
HTML framework |
react native |
HTML framework |
request |
Network communicator |
restify |
Server |
sequelize |
Database |
socket.io |
Network communicator |
sqlite3 |
Database |
superagent |
Network communicator |
swig |
templating language |
underscore |
Utility library |
Vercel (@vercel/node) |
Serverless framework |
vue |
HTML framework |
Provided by the current versions of the CodeQL query pack codeql/python-queries (changelog, source) and the CodeQL library pack codeql/python-all (changelog, source).
AWS Lambda |
Serverless framework |
aiohttp.web |
Web framework |
Django |
Web framework |
djangorestframework |
Web framework |
FastAPI |
Web framework |
Flask |
Web framework |
Flask-Admin |
Web framework |
Tornado |
Web framework |
Twisted |
Web framework |
Gradio |
Web framework |
starlette |
Asynchronous Server Gateway Interface (ASGI) |
ldap3 |
Lightweight Directory Access Protocol (LDAP) |
python-ldap |
Lightweight Directory Access Protocol (LDAP) |
httpx |
HTTP client |
pycurl |
HTTP client |
requests |
HTTP client |
urllib |
HTTP client |
urllib2 |
HTTP client |
urllib3 |
HTTP client |
dill |
Serialization |
PyYAML |
Serialization |
ruamel.yaml |
Serialization |
simplejson |
Serialization |
toml |
Serialization |
ujson |
Serialization |
fabric |
Utility library |
idna |
Utility library |
invoke |
Utility library |
jmespath |
Utility library |
multidict |
Utility library |
pydantic |
Utility library |
yarl |
Utility library |
aioch |
Database |
aiomysql |
Database |
aiopg |
Database |
aiosqlite |
Database |
asyncpg |
Database |
cassandra-driver |
Database |
clickhouse-driver |
Database |
cx_Oracle |
Database |
hdbcli |
Database |
mysql-connector |
Database |
mysql-connector-python |
Database |
MySQL-python |
Database |
mysqlclient |
Database |
oracledb |
Database |
phoenixdb |
Database |
psycopg2 |
Database |
pymssql |
Database |
PyMySQL |
Database |
pyodbc |
Database |
sqlite3 |
Database |
Flask-SQLAlchemy |
Database ORM |
peewee |
Database ORM |
SQLAlchemy |
Database ORM |
cryptography |
Cryptography library |
pycryptodome |
Cryptography library |
pycryptodomex |
Cryptography library |
rsa |
Cryptography library |
MarkupSafe |
Escaping Library |
libtaxii |
TAXII utility library |
libxml2 |
XML processing library |
lxml |
XML processing library |
xmltodict |
XML processing library |
Provided by the current versions of the CodeQL query pack codeql/ruby-queries (changelog, source) and the CodeQL library pack codeql/ruby-all (changelog, source).
excon |
HTTP client |
faraday |
HTTP client |
http_client |
HTTP client |
httparty |
HTTP client |
libxml-ruby |
XML processing library |
nokogiri |
XML processing library |
open-uri |
HTTP client |
posix-spawn |
Utility library |
rest-client |
HTTP client |
Ruby on Rails |
Web framework |
rubyzip |
Compression library |
typhoeus |
HTTP client |
Provided by the current versions of the CodeQL query pack codeql/rust-queries (changelog, source) and the CodeQL library pack codeql/rust-all (changelog, source).
Web framework |
|
alloc |
Standard library |
Asynchronous programming library |
|
Cookie management |
|
Utility library |
|
Cookie management |
|
core |
Standard library |
Cryptography library |
|
Asynchronous programming library |
|
Network communicator |
|
HTTP library |
|
Utility library |
|
Logging library |
|
Utility library |
|
Utility library |
|
Database |
|
Database |
|
Utility library |
|
Web framework |
|
Database |
|
proc_macro |
Standard library |
Utility library |
|
Utility library |
|
HTTP client |
|
Web framework |
|
Database |
|
std |
Standard library |
Cryptography library |
|
Network communicator |
|
Serialization |
|
Utility library |
|
Database |
|
Asynchronous IO |
|
Database |
|
Utility library |
|
Web framework |
Provided by the current versions of the CodeQL query pack codeql/swift-queries (changelog, source) and the CodeQL library pack codeql/swift-all (changelog, source).
XML processing library |
|
Network communicator |
|
Database |
|
Cryptography library |
|
Cryptography library |
|
Utility library |
|
Database |
|
Scripting library |
|
XML processing library |
|
Network communicator |
|
Database |
|
Cryptography library |
|
Database |
|
Database |
|
User interface library |
|
User interface library |