Foil vs CodeQL.
CodeQL is GitHub's query-based analysis engine — it builds a code database, then runs QL queries against it. GitHub's Copilot Autofix sits on top and generates cloud-side AI fixes for CodeQL findings. Foil offers a different tradeoff — instant scanning with no build step, and AI inference that runs on your own machine.
By Vito Rallo, Security Engineer at Peach Studio · Last updated April 2026
| Feature | Foil | CodeQL |
|---|---|---|
| Analysis method | On-device LLM (semantic reasoning) | Query language over code database (QL) |
| Setup required | Install and scan — no build step | Build CodeQL database first, then run queries |
| Logic-level vulnerability detection | Yes — auth bypasses, IDOR, race conditions | Yes — with custom QL queries (expert-level) |
| Code leaves your machine | Never | No (CLI CodeQL) / Yes (GitHub Advanced Security on GitHub.com) |
| Fix generation | Deep Dive & Deep Scan rewrite code with explanation (on-device) | Copilot Autofix (GitHub Advanced Security) generates fixes for C/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift, Rust |
| Custom rules | Yes (Developer plan, simple format) | Yes (QL language — steep learning curve) |
| Languages | 7 (Python, JS, TS, Go, Java, Ruby, C#) | C/C++, Java, C#, Python, JS, Go, Ruby, Swift, Kotlin |
| IDE integration | VS Code (coming soon) | VS Code (via GitHub) |
| Dataflow / taint analysis | LLM-based reasoning (implicit) | Deep dataflow with interprocedural tracking |
| CI/CD integration | CLI-based, JSON export | Native GitHub Actions, SARIF |
| Pricing | Free Community / €19 per user / mo Developer | Free for OSS on GitHub / GitHub Advanced Security (paid add-on) for private repos |
| Runs on | macOS (Apple Silicon) | Any OS (CLI), GitHub Cloud |
When to choose Foil
- + You want instant results — no database build step
- + You want AI-generated fixes, not just finding reports
- + You don't want to learn a query language to write custom rules
- + You want fully offline, privacy-first scanning
When to choose CodeQL
- + You need deep interprocedural dataflow and taint tracking
- + You need support for C/C++, Java, C#, Ruby, Swift, Kotlin
- + You're on GitHub and want native Actions integration, plus Copilot Autofix for AI-generated fixes on PRs (GitHub Advanced Security)
- + You have QL expertise and want maximum query expressiveness