How much does CodeQL cost?

CodeQL pricing ranges from $0 to $49 per month across 3 published tiers. Higher tiers require contact with sales for a quote.

What rank does CodeQL hold in the Code Quality and Static Analysis category?

CodeQL ranks #8 of 10 code quality and static analysis platforms in the Zendikt editorial ranking, last updated 2026-05-10.

CodeQL review, pricing, and verified intelligence

Best for

GitHub-anchored engineering organizations, particularly those already on GitHub Enterprise that want the deepest semantic analysis on the market. Strong for security-engineering teams that can invest in custom CodeQL query development.

Worst for

Non-GitHub shops (effectively unavailable), buyers wanting plug-and-play SAST without query-language investment (Snyk Code or SonarQube better), or budget-conscious buyers (GitHub Advanced Security add-on is meaningful).

Vendor Trust Score

Is CodeQL a trustworthy vendor?

8.2/10

High trust

Pricing transparency

Published rates; no hidden fees

7.5

Contract fairness

Reasonable terms; no auto-renew traps

7.5

Incident response

How they handle outages and breaches

8.5

Post-acquisition behavior

Customer treatment after M&A or PE

8.5

Executive stability

Leadership churn over 24 months

9.0

Roadmap honesty

Public commitments held

8.0

Trust signal log

2019-09-18

GitHub acquires Semmle (CodeQL) from Semmle Ltd

Acquired semantic SAST engine; folded into GitHub Code Scanning by 2020.
2021-12-10

CodeQL identifies Log4Shell variants (CVE-2021-44228)

CodeQL queries identified Log4Shell variants in OSS; reinforced semantic-analysis credibility.
2024-04-15

GitHub Advanced Security pricing complaints persist

Customers continue to push back on the $49 per active committer/mo add-on not being bundled with GitHub Enterprise.

Vendor Trust is scored independently of product quality. A great product from an unfair vendor still earns a low trust score.

Review Intelligence

What 540 reviews actually say

Synthesized from G2, Capterra, Reddit, Trustpilot. Patterns >15% prevalence shown.

Last synthesized

2026-04-29

Praise patterns

Deepest semantic SAST on the market
87% →
Native GitHub integration
78% →
Free for public repositories
71% →
Strong for security-research teams
51% →

Complaint patterns

Outside GitHub effectively unavailable
47% →
CodeQL query language has a real learning curve
41% →
GitHub Advanced Security add-on pricing frustrates buyers
38% ↑
Scan times long on large repositories
31% →

Sentiment trend (6 months)

82/100 0 pts

Patterns are extracted from review corpus and human-verified. We surface trends, not anecdotes.

Verified Pricing

What buyers actually pay

246 anonymized deal disclosures · last updated 2026-05-01

Contribute your deal price

Company size	Median annual	Sample	vs. listed floor
Public repos / Community	$0	124	-
Mid-market (50 to 500 committers)	$29,400	78	-
Enterprise (500+ committers)	$294,000	44	-

Verified pricing is crowdsourced from buyers under anonymity guarantees. Vendor-listed prices are validated against actual deals quarterly.

Compliance & Security

Auto-verified certifications

Verified 2026-05-01

SOC 2 Type II

ISO 27001

HIPAA

GDPR

CCPA

PCI DSS

FedRAMP Authorized

Editorial: Strengths

Deepest semantic analysis (data-flow, taint tracking, control-flow) in the category
Native GitHub integration; first-class Code Scanning experience
Free for public repositories; strong OSS-research footprint
CodeQL query language is expressive for security researchers
Discovered novel vulnerability classes (CVE-2021-44228 Log4Shell variants)
Microsoft parent stability and roadmap investment
Bundled with GitHub Actions for CI/CD execution

Editorial: Weaknesses

Outside GitHub the product is effectively unavailable
CodeQL query language has a real learning curve
Scan times can be long on large repositories
GitHub Advanced Security pricing (~$49 per active committer/mo) frustrates buyers
Custom query development requires senior security-engineering capacity
Free tier only for public repos; private repos require paid add-on

Key features & integrations

+Semantic SAST across 10+ languages
+Data-flow plus taint-tracking plus control-flow analysis
+CodeQL query language for custom rules
+Native GitHub Code Scanning integration
+Free for public repositories
+Bundled with GitHub Advanced Security (private repos)
+OWASP Top 10, CWE Top 25 coverage
+CodeQL CLI for local research
+SARIF output for CI/CD integration
+Active community on the CodeQL queries repository

80+ integrations

GitHubGitHub ActionsVS CodeSlackJiraServiceNow

Geography supported

Global; strongest in US, EU, UK

Best fit

20 to 500,000+ employees · GitHub-anchored engineering organizations and security-research teams

Editorial deep-dive

Read our full ranking of Code Quality and Static Analysis

CodeQL ranks #8 in our editorial review of 10 code quality and static analysis platforms. The deep-dive covers methodology, comparison tables, decision matrix, migration scoring, and FAQs.

Read the full ranking

Closest alternatives in Code Quality and Static Analysis

Semgrep

Open-source-first code-quality and security with readable rules.

★ 4.6 partial

Codiga / Datadog Code Security

Datadog-anchored code security via the 2022 Codiga acquisition.

★ 4.3 partial

Checkmarx

Legacy enterprise SAST plus SCA plus IaC under PE control.

★ 4.2 opaque

Help the next buyer

Contribute your verified deal price

Pricing in B2B software is opaque because vendors want it that way. Verified buyer prices fix that, anonymously. Share what you actually paid for CodeQL; we’ll add it to the verified pricing dataset on this page (with company size band only, no identifying details).

Submit anonymously