Simon Gerst & Peter Stöckli

Talk Title :

Identify vulnerabilities using CodeQL

Abstract :

CodeQL is GitHub's expressive language and engine for code analysis, which allows you to explore source code to find bugs and security vulnerabilities. CodeQL is free for OSS, and comes bundled with hundreds of security and quality queries that you can use out-of-the-box to scan open source projects.

In this workshop we'll start with explaining how to use the codeql tool, explain the basic structure of a CodeQL query, and then show how to use classes and predicates to improve query readability. After that, we'll focus on data flow analysis and taint tracking which we then use for writing a real world query.

Starting with a CVE description and an advisory for [CVE-2022-41852] we'll incrementally develop a query for it and show how you can then use the multi repository variant analysis beta to find vulnerable projects across GitHub.

Learning Goals
  • Get to know the basic structure of a CodeQL query.
  • Use the CodeQL libraries for Java.
  • Learn to build and structure queries using classes and predicates.
  • Use data flow analysis and taint tracking to find a real-world RCE vulnerability.
  • No prior CodeQL knowledge required.
  • Basic knowledge of the Java programming language.
  • Please prepare a laptop using the following instructions (local or cloud-based setup):

Bio :

Simon Gerst is a computer science student and security researcher with multiple CVEs to his name. He discovered CodeQL in 2020 and has been using it ever since to model vulnerabilities and to find and fix them at scale. Several of his vulnerability queries have been included in the default CodeQL query set and are being run across

He also is an expert on insecure GitHub Actions and has found instances in repositories from GitHub, Microsoft and others. He's a GitHub Security Ambassador and proud member of the KITCTF team. You can read his blog at

Want to connect with Simon Gerst?

Peter Stöckli is a security researcher with GitHub Security Lab since 2022. On his job Peter works with CodeQL to identify vulnerabilities in popular open-source projects and help the community to build projects securely. Prior to joining GitHub Peter worked as a security software engineer for a Swiss company developing identity and access management (IAM) products. While Peter feels at home in the world of Java, C# and Go, Peter recently started mining in the Ruby world and does not regret it.

Want to connect with Peter Stöckli?