{"meta":{"title":"database analyze","intro":"Analyze a database, producing meaningful results in the context of the\nsource code.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/reference","title":"Reference"},{"href":"/en/code-security/reference/code-scanning","title":"Code scanning"},{"href":"/en/code-security/reference/code-scanning/codeql","title":"CodeQL"},{"href":"/en/code-security/reference/code-scanning/codeql/codeql-cli-manual","title":"CodeQL CLI manual"},{"href":"/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze","title":"database analyze"}],"documentType":"article"},"body":"# database analyze\n\nAnalyze a database, producing meaningful results in the context of the\nsource code.\n\n> \\[!NOTE]\n> This content describes the most recent release of the CodeQL CLI. For more information about this release, see .\n>\n> To see details of the options available for this command in an earlier release, run the command with the `--help` option in your terminal.\n\n## Synopsis\n\n```shell copy\ncodeql database analyze --format= --output= [--threads=] [--ram=] ... -- ...\n```\n\n## Description\n\nAnalyze a database, producing meaningful results in the context of the\nsource code.\n\nRun a query suite (or some individual queries) against a CodeQL\ndatabase, producing results, styled as alerts or paths, in SARIF or\nanother interpreted format.\n\nThis command combines the effect of the [codeql database run-queries](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) and [codeql database interpret-results](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-interpret-results) commands. If you want to run queries whose results *don't* meet the requirements for\nbeing interpreted as source-code alerts, use\n[codeql database run-queries](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-run-queries) or [codeql query run](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/query-run) instead, and then [codeql bqrs decode](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-decode) to convert the raw results to a readable notation.\n\n## Options\n\n### Primary Options\n\n#### ``\n\n\\[Mandatory] Path to the CodeQL database to query.\n\n#### `...`\n\nQueries to execute. Each argument is in the form `scope/name@range:path`\nwhere:\n\n* `scope/name` is the qualified name of a CodeQL pack.\n* `range` is a semver range.\n* `path` is a file system path.\n\nIf a `scope/name` is specified, the `range` and `path` are optional. A\nmissing `range` implies the latest version of the specified pack. A\nmissing `path` implies the default query suite of the specified pack.\n\nThe `path` can be one of a `*.ql` query file, a directory containing one\nor more queries, or a `.qls` query suite file. If there is no pack name\nspecified, then a `path` must be provided, and will be interpreted\nrelative to the current working directory of the current process.\n\nTo specify a `path` that contains a literal `@` or `:`, use `path:` as a\nprefix to the argument, like this: `path:directory/with:and@/chars`.\n\nIf a `scope/name` and `path` are specified, then the `path` cannot be\nabsolute. It is considered relative to the root of the CodeQL pack.\n\nIf no queries are specified, the CLI will automatically determine a\nsuitable set of queries to run. In particular, if a Code Scanning\nconfiguration file was specified at database creation time using\n`--codescanning-config` then the queries from this will be used.\nOtherwise, the default queries for the language being analyzed will be\nused.\n\n#### `--format=`\n\n\\[Mandatory] The format in which to write the results. One of:\n\n`csv`: Formatted comma-separated values, including columns with both\nrule and alert metadata.\n\n`sarif-latest`: Static Analysis Results Interchange Format (SARIF), a\nJSON-based format for describing static analysis results. This format\noption uses the most recent supported version (v2.1.0). This option is\nnot suitable for use in automation as it will produce different versions\nof SARIF between different CodeQL versions.\n\n`sarifv2.1.0`: SARIF v2.1.0.\n\n`graphtext`: A textual format representing a graph. Only compatible with\nqueries with @kind graph.\n\n`dgml`: Directed Graph Markup Language, an XML-based format for\ndescribing graphs. Only compatible with queries with @kind graph.\n\n`dot`: Graphviz DOT language, a text-based format for describing graphs.\nOnly compatible with queries with @kind graph.\n\n#### `-o, --output=`\n\n\\[Mandatory] The output path to write results to. For graph formats\nthis should be a directory, and the result (or results if this command\nsupports interpreting more than one query) will be written within that\ndirectory.\n\n#### `--[no-]rerun`\n\nEvaluate even queries that seem to have a BQRS result stored in the\ndatabase already.\n\n#### `--no-print-diagnostics-summary`\n\nDon't print a summary of the analyzed diagnostics to standard output.\n\n#### `--no-print-metrics-summary`\n\nDon't print a summary of the analyzed metrics to standard output.\n\n#### `--max-paths=`\n\nThe maximum number of paths to produce for each alert with paths.\n(Default: 4)\n\n#### `--[no-]sarif-add-file-contents`\n\n\\[SARIF formats only] Include the full file contents for all files\nreferenced in at least one result.\n\n#### `--[no-]sarif-add-snippets`\n\n\\[SARIF formats only] Include code snippets for each location mentioned\nin the results, with two lines of context before and after the reported\nlocation.\n\n#### `--[no-]sarif-add-query-help`\n\n\\[SARIF formats only] \\[Deprecated] Include Markdown query help for\nall queries. It loads query help for /path/to/query.ql from the\n/path/to/query.md file. If this flag is not supplied the default\nbehavior is to include help only for custom queries i.e. those in query\npacks which are not of the form \\`codeql/\\`\n\n\\[SARIF formats only] Specify whether to include query help in the\nSARIF output. One of:\n\n`always`: Include query help for all queries.\n\n`custom_queries_only` *(default)*: Include query help only for custom\nqueries i.e. those in query packs which are not of the form\n\\`codeql/\\.tool.extensions` property. This\noption has no effect when passed to [codeql bqrs interpret](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/bqrs-interpret).\n\n#### `--[no-]sarif-multicause-markdown`\n\n\\[SARIF formats only] For alerts that have multiple causes, include\nthem as a Markdown-formatted itemized list in the output in addition to\nas a plain string.\n\n#### `--no-sarif-minify`\n\n\\[SARIF formats only] Produce pretty-printed SARIF output. By default,\nSARIF output is minified to reduce the size of the output file.\n\n#### `--sarif-run-property=`\n\n\\[SARIF formats only] A key value pair to add to the generated SARIF\n'run' property bag. Can be repeated.\n\n#### `--no-group-results`\n\n\\[SARIF formats only] Produce one result per message, rather than one\nresult per unique location.\n\n#### `--csv-location-format=`\n\nThe format in which to produce locations in CSV output. One of: uri,\nline-column, offset-length. (Default: line-column)\n\n#### `--dot-location-url-format=`\n\nA format string defining the format in which to produce file location\nURLs in DOT output. The following place holders can be used {path}\n{start:line} {start:column} {end:line} {end:column}, {offset}, {length}\n\n#### `--[no-]sublanguage-file-coverage`\n\n\\[GitHub.com and GitHub Enterprise Server v3.12.0+ only] Use\nsub-language file coverage information. This calculates, displays, and\nexports separate file coverage information for languages which share a\nCodeQL extractor like C and C++, Java and Kotlin, and JavaScript and\nTypeScript.\n\nAvailable since `v2.15.2`.\n\n#### `--sarif-category=`\n\n\\[SARIF formats only] \\[Recommended] Specify a category for this\nanalysis to include in the SARIF output. A category can be used to\ndistinguish multiple analyses performed on the same commit and\nrepository, but on different languages or different parts of the code.\n\nIf you analyze the same version of a code base in several different ways\n(e.g., for different languages) and upload the results to GitHub for\npresentation in Code Scanning, this value should differ between each of\nthe analyses, which tells Code Scanning that the analyses *supplement*\nrather than *supersede* each other. (The values should be consistent\nbetween runs of the same analysis for *different* versions of the code\nbase.)\n\nThis value will appear (with a trailing slash appended if not already\npresent) as the `.automationDetails.id` property.\n\n#### `--no-database-extension-packs`\n\n\\[Advanced] Omit extension packs stored in the database during database\ncreation, either from a Code Scanning configuration file or from\nextension files stored in the 'extensions' directory of the analyzed\ncodebase.\n\n#### `--no-database-threat-models`\n\n\\[Advanced] Omit threat model configuration stored in the database\nduring database creation from a Code Scanning configuration file.\n\n#### `--[no-]download`\n\nDownload any missing queries before analyzing.\n\n### Options to control the model packs to be used\n\n#### `--model-packs=<`>...\n\nA list of CodeQL pack names, each with an optional version range, to be\nused as model packs to customize the queries that are about to be\nevaluated.\n\n### Options to control the threat models to be used\n\n#### `--threat-model=...`\n\nA list of threat models to enable or disable.\n\nThe argument is the name of a threat model, optionally preceded by a\n'!'. If no '!' is present, the named threat model and all of its\ndescendants are enabled. If a '!' is present, the named threat model\nand all of its descendants are disabled.\n\nThe 'default' threat model is enabled by default, but can be disabled\nby specifying '--threat-model !default'.\n\nThe 'all' threat model can be used to enable or disable all threat\nmodels.\n\nThe --threat-model options are processed in order. For example,\n'--threat-model local --threat-model !environment' enables all of\nthe threat models in the 'local' group except for the 'environment'\nthreat model.\n\nThis option only has an effect for languages that support threat models.\n\nAvailable since `v2.15.3`.\n\n### Options to control the query evaluator\n\n#### `--[no-]tuple-counting`\n\n\\[Advanced] Display tuple counts for each evaluation step in the query\nevaluator logs. If the `--evaluator-log` option is provided, tuple\ncounts will be included in both the text-based and structured JSON logs\nproduced by the command. (This can be useful for performance\noptimization of complex QL code).\n\n#### `--timeout=`\n\n\\[Advanced] Set the timeout length for query evaluation, in seconds.\n\nThe timeout feature is intended to catch cases where a complex query\nwould take \"forever\" to evaluate. It is not an effective way to limit\nthe total amount of time the query evaluation can take. The evaluation\nwill be allowed to continue as long as each separately timed part of the\ncomputation completes within the timeout. Currently these separately\ntimed parts are \"RA layers\" of the optimized query, but that might\nchange in the future.\n\nIf no timeout is specified, or is given as 0, no timeout will be set\n(except for [codeql test run](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/test-run), where the default timeout is 5 minutes).\n\n#### `-j, --threads=`\n\nUse this many threads to evaluate queries.\n\nDefaults to 1. You can pass 0 to use one thread per core on the machine,\nor -*N* to leave *N* cores unused (except still use at least one\nthread).\n\n#### `--[no-]save-cache`\n\n\\[Deprecated] \\[Advanced] This flag does nothing.\n\n#### `--[no-]expect-discarded-cache`\n\n\\[Advanced] Make decisions about which predicates to evaluate, and what\nto write to the disk cache, based on the assumption that the cache will\nbe discarded after the queries have been executed.\n\n#### `--[no-]keep-full-cache`\n\n\\[Advanced] Don't clean up the disk cache after evaluation completes.\nThis may save time if you're going to do [codeql dataset cleanup](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/dataset-cleanup) or [codeql database cleanup](/en/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-cleanup) afterwards anyway.\n\n#### `--max-disk-cache=`\n\nSet the maximum amount of space that the disk cache for intermediate\nquery results can use.\n\nIf this size is not configured explicitly, the evaluator will try to use\na \"reasonable\" amount of cache space, based on the size of the dataset\nand the complexity of the queries. Explicitly setting a higher limit\nthan this default usage will enable additional caching which can speed\nup later queries.\n\n#### `--min-disk-free=`\n\n\\[Advanced] Set target amount of free space on file system.\n\nIf `--max-disk-cache` is not given, the evaluator will try hard to\ncurtail disk cache usage if the free space on the file system drops\nbelow this value.\n\n#### `--min-disk-free-pct=`\n\n\\[Advanced] Set target fraction of free space on file system.\n\nIf `--max-disk-cache` is not given, the evaluator will try hard to\ncurtail disk cache usage if the free space on the file system drops\nbelow this percentage.\n\n#### `--external==`\n\nA CSV file that contains rows for external predicate *\\*.\nMultiple `--external` options can be supplied.\n\n#### `--xterm-progress=`\n\n\\[Advanced] Controls whether to show progress tracking during QL\nevaluation using xterm control sequences. Possible values are:\n\n`no`: Never produce fancy progress; assume a dumb terminal.\n\n`auto` *(default)*: Autodetect whether the command is running in an\nappropriate terminal.\n\n`yes`: Assume the terminal can understand xterm control sequences. The\nfeature still depends on being able to autodetect the *size* of the\nterminal (which is not implemented on Windows, sorry), and will also be\ndisabled if `-q` is given.\n\n`25x80` (or similar): Like `yes`, and also explicitly give the size of\nthe terminal. (Unlike `yes`, this should work on Windows.)\n\n`25x80:/dev/pts/17` (or similar): show fancy progress on a *different*\nterminal than stderr. Mostly useful for internal testing.\n\n### Options for controlling outputting of structured evaluator logs\n\n#### `--evaluator-log=`\n\n\\[Advanced] Output structured logs about evaluator performance to the\ngiven file. The format of this log file is subject to change with no\nnotice, but will be a stream of JSON objects separated by either two\nnewline characters (by default) or one if the `--evaluator-log-minify`\noption is passed. Please use `codeql generate log-summary ` to\nproduce a more stable summary of this file, and avoid parsing the file\ndirectly. The file will be overwritten if it already exists.\n\n#### `--evaluator-log-minify`\n\n\\[Advanced] If the `--evaluator-log` option is passed, also passing\nthis option will minimize the size of the JSON log produced, at the\nexpense of making it much less human readable.\n\n### Options to control RAM usage\n\n#### `-M, --ram=`\n\nThe query evaluator will try hard to keep its total memory footprint\nbelow this value. (However, for large databases it is possible that the\nthreshold may be broken by file-backed memory maps, which can be swapped\nto disk in case of memory pressure).\n\nThe value should be at least 2048 MB; smaller values will be\ntransparently rounded up.\n\n### Options to control QL compilation\n\n#### `--warnings=`\n\nHow to handle warnings from the QL compiler. One of:\n\n`hide`: Suppress warnings.\n\n`show` *(default)*: Print warnings but continue with compilation.\n\n`error`: Treat warnings as errors.\n\n#### `--no-debug-info`\n\nDon't emit source location info in RA for debugging.\n\n#### `--[no-]fast-compilation`\n\n\\[Deprecated] \\[Advanced] Omit particularly slow optimization steps.\n\n#### `--no-release-compatibility`\n\n\\[Advanced] Use the newest compiler features, at the cost of\nportability.\n\nFrom time to time, new QL language features and evaluator optimizations\nwill be supported by the QL evaluator a few releases before they are\nenabled by default in the QL compiler. This helps ensure that the\nperformance you experience when developing queries in the newest CodeQL\nrelease can be matched by slightly older releases that may still be in\nuse for Code Scanning or CI integrations.\n\nIf you do not care about your queries being compatible with other\n(earlier or later) CodeQL releases, you can sometimes achieve a small\namount of extra performance by using this flag to enable recent\nimprovements in the compiler early.\n\nIn releases where there are no recent improvements to enable, this\noption silently does nothing. Thus it is safe to set it once and for all\nin your global CodeQL config file.\n\nAvailable since `v2.11.1`.\n\n#### `--[no-]local-checking`\n\nOnly perform initial checks on the part of the QL source that is used.\n\n#### `--no-metadata-verification`\n\nDon't check embedded query metadata in QLDoc comments for validity.\n\n#### `--compilation-cache-size=`\n\n\\[Advanced] Override the default maximum size for a compilation cache\ndirectory.\n\n#### `--fail-on-ambiguous-relation-name`\n\n\\[Advanced] Fail compilation if an ambiguous relation name is generated\nduring compilation.\n\n### Options to set up compilation environment\n\n#### `--search-path=[:...]`\n\nA list of directories under which QL packs may be found. Each directory\ncan either be a QL pack (or bundle of packs containing a\n`.codeqlmanifest.json` file at the root) or the immediate parent of one\nor more such directories.\n\nIf the path contains more than one directory, their order defines\nprecedence between them: when a pack name that must be resolved is\nmatched in more than one of the directory trees, the one given first\nwins.\n\nPointing this at a checkout of the open-source CodeQL repository ought\nto work when querying one of the languages that live there.\n\nIf you have checked out the CodeQL repository as a sibling of the\nunpacked CodeQL toolchain, you don't need to give this option; such\nsibling directories will always be searched for QL packs that cannot be\nfound otherwise. (If this default does not work, it is strongly\nrecommended to set up `--search-path` once and for all in a per-user\nconfiguration file).\n\n(Note: On Windows the path separator is `;`).\n\n#### `--additional-packs=[:...]`\n\nIf this list of directories is given, they will be searched for packs\nbefore the ones in `--search-path`. The order between these doesn't\nmatter; it is an error if a pack name is found in two different places\nthrough this list.\n\nThis is useful if you're temporarily developing a new version of a pack\nthat also appears in the default path. On the other hand, it is *not\nrecommended* to override this option in a config file; some internal\nactions will add this option on the fly, overriding any configured\nvalue.\n\n(Note: On Windows the path separator is `;`).\n\n#### `--library-path=[:...]`\n\n\\[Advanced] An optional list of directories that will be added to the\nraw import search path for QL libraries. This should only be used if\nyou're using QL libraries that have not been packaged as QL packs.\n\n(Note: On Windows the path separator is `;`).\n\n#### `--dbscheme=`\n\n\\[Advanced] Explicitly define which dbscheme queries should be compiled\nagainst. This should only be given by callers that are extremely sure\nwhat they're doing.\n\n#### `--compilation-cache=`\n\n\\[Advanced] Specify an additional directory to use as a compilation\ncache.\n\n#### `--no-default-compilation-cache`\n\n\\[Advanced] Don't use compilation caches in standard locations such as\nin the QL pack containing the query or in the CodeQL toolchain\ndirectory.\n\n### Options for configuring the CodeQL package manager\n\n#### `--registries-auth-stdin`\n\nAuthenticate to GitHub Enterprise Server Container registries by passing\na comma-separated list of \\=\\ pairs.\n\nFor example, you can pass\n`https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2`\nto authenticate to two GitHub Enterprise Server instances.\n\nThis overrides the CODEQL\\_REGISTRIES\\_AUTH and GITHUB\\_TOKEN environment\nvariables. If you only need to authenticate to the github.com Container\nregistry, you can instead authenticate using the simpler\n`--github-auth-stdin` option.\n\n#### `--github-auth-stdin`\n\nAuthenticate to the github.com Container registry by passing a\ngithub.com GitHub Apps token or personal access token via standard\ninput.\n\nTo authenticate to GitHub Enterprise Server Container registries, pass\n`--registries-auth-stdin` or use the CODEQL\\_REGISTRIES\\_AUTH environment\nvariable.\n\nThis overrides the GITHUB\\_TOKEN environment variable.\n\n### Common options\n\n#### `-h, --help`\n\nShow this help text.\n\n#### `-J=`\n\n\\[Advanced] Give option to the JVM running the command.\n\n(Beware that options containing spaces will not be handled correctly.)\n\n#### `-v, --verbose`\n\nIncrementally increase the number of progress messages printed.\n\n#### `-q, --quiet`\n\nIncrementally decrease the number of progress messages printed.\n\n#### `--verbosity=`\n\n\\[Advanced] Explicitly set the verbosity level to one of errors,\nwarnings, progress, progress+, progress++, progress+++. Overrides `-v`\nand `-q`.\n\n#### `--logdir=`\n\n\\[Advanced] Write detailed logs to one or more files in the given\ndirectory, with generated names that include timestamps and the name of\nthe running subcommand.\n\n(To write a log file with a name you have full control over, instead\ngive `--log-to-stderr` and redirect stderr as desired.)\n\n#### `--common-caches=`\n\n\\[Advanced] Controls the location of cached data on disk that will\npersist between several runs of the CLI, such as downloaded QL packs and\ncompiled query plans. If not set explicitly, this defaults to a\ndirectory named `.codeql` in the user's home directory; it will be\ncreated if it doesn't already exist.\n\nAvailable since `v2.15.2`."}