Skip to main content
ShipSafe
ShipSafe
Enterprise code scanning vs. paste-a-URL

ShipSafe vsGitHub CodeQL

CodeQL is a world-class query engine. But on private repos it lives inside GitHub Advanced Security — an enterprise add-on priced per committer — and it answers in QL, not English.

Scan My App FreeSee pricing
Free scan2 minutesNo card needed

Straight talk

The honest version

CodeQL is genuinely elite. It treats your code as a queryable database and powers GitHub's code scanning. On public repositories it's free, and the default query packs catch a wide range of real vulnerabilities.

The catch for a founder: on private repos, CodeQL requires GitHub Advanced Security — specifically GitHub Code Security, about $30 per active committer per month, on a Team or Enterprise plan. Results land in the repo's Security tab as alerts, and getting beyond the defaults means learning CodeQL's query language. It's powerful, but it's an AppSec product for organizations.

ShipSafe runs on your private repo with no GHAS license, no QL, and no Security-tab triage. Paste a GitHub URL and get logic-level findings — IDOR, broken auth, hardcoded secrets — in plain English with a fix.

Side by side

ShipSafe vs CodeQL, side by side

Runs on private repos free
ShipSafeAny GitHub repo, no license
CodeQL / GHASNeeds GitHub Advanced Security (paid add-on)
Finds logic-level auth bugs
ShipSafeIDOR, inverted auth, ownership — in plain English
CodeQL / GHASPowerful queries; defaults are general; custom needs QL
Who it's built for
ShipSafeSolo founders, no security background
CodeQL / GHASAppSec & platform teams on GitHub Enterprise
Setup
ShipSafePaste a GitHub URL · ~2 min
CodeQL / GHASEnable GHAS, configure code scanning, maybe write QL
Output
ShipSafePlain English + copy-paste AI Fix Prompt
CodeQL / GHASAlerts in the Security tab (SARIF)
Tuned for AI-generated code
ShipSafeBuilt for Cursor/Lovable/Bolt/v0/Replit output
CodeQL / GHASGeneral-purpose queries
Pricing model
ShipSafeFlat $0–$39/mo, self-serve
CodeQL / GHASGHAS ~$30/committer/mo on private; free on public repos

Credit where due

Where CodeQL is the right call

  • Your code is already on GitHub Enterprise and you can enable Advanced Security.
  • You have AppSec engineers comfortable writing and tuning CodeQL queries.
  • Your repos are public (CodeQL code scanning is free there).
  • You want code scanning wired into the GitHub-native PR + Security-tab workflow.

The catch

Where it leaves a solo founder exposed

  • On private repos, you can't use CodeQL without paying for GitHub Advanced Security.
  • Default queries are general-purpose; the AI-code logic bugs need luck or custom QL.
  • Alerts arrive as Security-tab entries and SARIF — not 'an attacker can do X.'
  • Per-committer enterprise pricing is overkill for a solo founder shipping one app.

Frequently Asked Questions

Is CodeQL free?
On public repositories, yes. On private repos it requires GitHub Advanced Security — GitHub Code Security is about $30 per committer per month — on a Team or Enterprise plan. ShipSafe scans private repos with no add-on.
Do I need to learn CodeQL?
For the default queries, no — but to catch anything beyond them you write CodeQL, which has a real learning curve. ShipSafe needs zero query language.
CodeQL vs ShipSafe?
CodeQL is a powerful engine for AppSec teams inside GitHub. ShipSafe is a paste-a-URL, plain-English scanner for founders. Different users, different output.
Where do CodeQL results show up?
In your repo's Security tab as code-scanning alerts. ShipSafe gives you a plain-English report and a copy-paste fix prompt instead.

No GHAS license. No QL. Just an answer.

Scan your private repo without GitHub Advanced Security. Paste a GitHub URL — 2 minutes, plain English, copy-paste fix.

Scan My App Free

No credit card required. See all plans