GitHub Actions queries for CodeQL analysis

Explore the queries that CodeQL uses to analyze workflows used by GitHub Actions when you select the default or the security-extended query suite.

Who can use this feature?

CodeQL is available for the following repository types:

Public repositories on GitHub.com, see GitHub CodeQL Terms and Conditions
Organization-owned repositories on GitHub Team with GitHub Code Security enabled

CodeQL includes many queries for analyzing workflows used by GitHub Actions. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see CodeQL query suites.

Built-in queries for workflow analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Query name	Related CWEs	Default	Extended	Copilot Autofix
Artifact poisoning	829
Cache Poisoning via caching of untrusted files	349
Cache Poisoning via execution of untrusted code	349
Cache Poisoning via low-privileged code injection	349, 094
Checkout of untrusted code in a privileged context	829
Checkout of untrusted code in trusted context	829
Code injection	094, 095, 116
Environment variable built from user-controlled sources	077, 020
Excessive Secrets Exposure	312
Improper Access Control	285
PATH environment variable built from user-controlled sources	077, 020
Storage of sensitive information in GitHub Actions artifact	312
Unmasked Secret Exposure	312
Untrusted Checkout TOCTOU	367
Untrusted Checkout TOCTOU	367
Use of a known vulnerable action	1395
Workflow does not contain permissions	275
Artifact poisoning	829
Checkout of untrusted code in trusted context	829
Code injection	094, 095, 116
Environment variable built from user-controlled sources	077, 020
PATH environment variable built from user-controlled sources	077, 020
Unpinned tag for a non-immutable Action in workflow	829