What is a CodeQL database, and how is it used in code scanning?

A CodeQL database is a semantic model of code for a specific programming language. It stores structured facts about the code—definitions, references, control flow, data flow, types, and other language relationships—that CodeQL uses to reason about how the code behaves. During code scanning, CodeQL treats this database as the data source for its queries: you write queries in CodeQL to look for patterns that indicate vulnerabilities or quality issues, and the engine runs those queries against the database to find exact code locations where problems appear. This makes analysis precise and scalable across large codebases, because the database encodes meaning beyond just the raw text. It’s generated from the project’s source (or build artifacts) and is language-specific, with different databases for different languages.