Safeguard
Application Security

GitHub Code Security and CodeQL SAST scanning explained

GitHub split Advanced Security into Code Security and Secret Protection in 2025. Here's how CodeQL SAST actually works, what it misses, and how Safeguard fills the supply-chain gap.

Aman Khan
AppSec Engineer
Updated 7 min read

GitHub sits in a strange position in the AppSec market: it is the place where most of the world's code already lives, and since 2019 it has also sold the tools meant to secure that code. On March 4, 2025, GitHub split GitHub Advanced Security (GHAS) into two standalone products — GitHub Code Security ($30/active committer/month) and GitHub Secret Protection ($19/active committer/month) — available to GitHub Team customers, not just Enterprise, starting April 1, 2025. At the center of Code Security sits CodeQL, GitHub's semantic static analysis engine, acquired with Semmle in 2019. CodeQL now covers C/C++, C#, Go, Java, Kotlin, Rust, Swift, JavaScript/TypeScript, Ruby, and Python (as of CodeQL 2.24.0, January 2026) — but it notably still has no first-party support for PHP or Scala. If you're evaluating "github code security codeql" as your primary SAST scanning layer, here is what it actually does, where its limits are, and what a supply-chain-focused platform like Safeguard adds around it.

What is GitHub Code Security, and how is it different from GitHub Advanced Security?

GitHub Code Security is the renamed, unbundled successor to the code-scanning half of GHAS. Where GHAS was a single Enterprise-only SKU that bundled CodeQL scanning, secret scanning, and dependency review together, GitHub split it in 2025 into GitHub Code Security (CodeQL scanning, Copilot Autofix, security campaigns, Dependency Review Action) and GitHub Secret Protection (secret scanning, push protection). The practical effect: a team can now buy just code scanning for $30 per active committer per month on the Team plan, without paying for an Enterprise license or bundling in secret scanning. GitHub's stated goal was accessibility — metered, pay-as-you-go billing instead of annual per-seat licenses locked to Enterprise Cloud or Server. For teams that were priced out of GHAS's Enterprise-only model, this is a real change. For teams already on Enterprise, it mostly means re-reading the invoice: the GHAS name persists on older contracts, but new purchases are Code Security and Secret Protection as separate line items.

How does CodeQL actually find vulnerabilities?

CodeQL treats your source code as a queryable relational database rather than scanning it line by line with regex or pattern matching. When CodeQL runs, it builds a "CodeQL database" from the codebase — extracting an abstract syntax tree, control-flow graph, and data-flow graph — then runs QL queries against it to trace how untrusted input reaches sensitive sinks (a SQL query, a file path, a deserialization call). This is why CodeQL catches taint-flow bugs like SQL injection or path traversal that a simple grep-style linter misses: it can follow a variable through several function calls and files. It's also why CodeQL is slower and more resource-intensive than pattern-based scanners — building the database for a large monolith (say, a multi-million-line Java service) can take 20-40+ minutes per run in GitHub Actions, and teams frequently have to tune build steps, memory limits, and timeouts to get compiled-language scans to complete reliably in CI.

Which languages and vulnerability classes does CodeQL cover — and which does it miss?

CodeQL analyzes ten languages today — C/C++, C#, Go, Java, Kotlin, Rust, Swift, JavaScript/TypeScript, Ruby, and Python — but has no first-party queries for PHP, Scala, Elixir, or most infrastructure-as-code and configuration languages. That gap matters more than it sounds: PHP alone still powers a large share of the web (WordPress plugins, legacy enterprise apps), and teams running mixed-language stacks end up needing a second SAST tool just to cover the languages CodeQL doesn't touch. Even within supported languages, CodeQL is a single-repository, point-in-time analysis: it evaluates the code that's actually checked in and reachable through its own dataflow model, so it structurally can't catch business-logic flaws, most SSRF variants that depend on runtime configuration, or vulnerabilities that live in the dependency graph rather than first-party code (that's Dependabot's job, not CodeQL's). Academic benchmarking of SAST tools, including CodeQL, has repeatedly shown false-negative rates in the 30-50% range on intentionally vulnerable test suites like OWASP Benchmark, depending on the vulnerability class — command injection and XXE tend to be caught reliably, while more context-dependent bugs like broken access control are frequently missed by every SAST engine, CodeQL included.

Does CodeQL scanning cover the software supply chain, or just first-party code?

No — CodeQL is scoped to code you wrote and checked into the repository it's scanning, not the packages you pulled in from npm, PyPI, Maven Central, or a container base image. GitHub's supply chain story lives in adjacent products: Dependabot alerts (powered by the GitHub Advisory Database) for known-vulnerable dependency versions, and the Dependency Review Action to flag risky changes in a pull request diff. None of these evaluate whether a package itself has been compromised — a typosquat, a maintainer account takeover, a malicious post-install script, or a build pipeline injecting code after the fact, the kind of attack that hit xz-utils in March 2024, event-stream in 2018, and dozens of npm packages since. CodeQL's dataflow analysis also doesn't extend into third-party SBOMs, container layers, or CI/CD pipeline configuration — a gap that matters because Gartner and others have repeatedly flagged pipeline and dependency compromise, not first-party logic bugs, as the fastest-growing class of breach in the last three years.

What does it cost to actually run GitHub Code Security at scale?

At $30 per active committer per month, a 500-developer engineering org pays roughly $180,000 per year for code scanning alone, before adding Secret Protection at $19/committer/month (another ~$114,000/year) or Enterprise licensing. "Active committer" billing (metered, based on who actually pushed code in a billing period) is more forgiving than legacy flat per-seat GHAS pricing, but it also means costs scale directly with team growth and contractor churn — a company that doubles its engineering headcount doubles its Code Security bill with no volume discount built into the public pricing. That cost also buys SAST scanning, not remediation prioritization: CodeQL produces alerts ranked by rule severity, not by exploitability, deployment exposure, or whether the affected code path is even reachable in production, which is why many GHAS/Code Security customers still triage alerts manually or bolt on a separate prioritization layer.

How Safeguard Helps

CodeQL is a strong choice for first-party static analysis inside GitHub's ecosystem, and Safeguard doesn't try to replace it — teams that already pay for GitHub Code Security should keep it. What Safeguard adds is everything CodeQL structurally can't see: the software supply chain itself. Safeguard continuously monitors your open-source dependencies, container images, and CI/CD pipelines for compromise indicators — malicious package updates, typosquats, build-time tampering, and secrets or credentials leaking through third-party actions — rather than just flagging known-CVE version mismatches after the fact. Where CodeQL's severity scoring is static and rule-based, Safeguard correlates findings across your dependency graph, deployment reachability, and pipeline configuration so security teams can prioritize the handful of alerts that are actually exploitable in your environment, instead of triaging hundreds of CodeQL and Dependabot findings by hand. And because Safeguard is platform-agnostic, it works whether your code lives on GitHub, GitLab, or Bitbucket, and across the PHP, Scala, and infrastructure-as-code files that CodeQL doesn't scan at all — closing the gap between "this SAST tool found a bug in our code" and "our software supply chain is actually secure end to end." For teams running GitHub Code Security today, Safeguard sits alongside it as the layer that watches the parts of the pipeline CodeQL was never built to see.

Sources:

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.