CodeQL is the gold standard of semantic SAST — it treats code as a queryable database.
But it was designed for CI/CD pipelines, not real-time AI code generation.
CodeQL is powerful — arguably the most sophisticated SAST tool available. But it solves a different problem than Acutis. CodeQL queries a full codebase for known vulnerability patterns. Acutis verifies individual AI-generated code snippets against formal properties in real time.
CodeQL creates a database from your source code — requiring a build for compiled languages and full source extraction for interpreted ones like Python and JavaScript. Either way, it needs an entire codebase, not an isolated code snippet generated mid-conversation.
CodeQL database creation and query execution takes seconds to minutes. Acutis verifies in 0.034ms. That's the difference between a tool that blocks the AI's workflow and one that's invisible.
Even with its semantic understanding, CodeQL relies on human-written QL queries to define what's vulnerable. Novel AI-generated patterns that no query covers will pass undetected. Acutis has no queries — unknown = dangerous.
| Acutis | CodeQL | |
|---|---|---|
| Analysis method | Property lattice — formal taint verification | QL queries against code database |
| Input | Individual code snippets + security contract | Full codebase (build for compiled langs, extraction for interpreted) |
| When it runs | Real-time during AI code generation | CI/CD after commit (or manual analysis) |
| Speed | 0.034ms per scan | Seconds to minutes (requires database creation + query execution) |
| Rule maintenance | Zero enumeration — AI provides semantics | QL query packs maintained by GitHub + community |
| Novel functions | Handled — unknown = dangerous by default | Depends on query coverage and taint configuration |
| Trust model | Zero trust — BLOCK on missing info | Permissive — only flags what queries match |
| Semantic understanding | AI-declared + formal property propagation | Deep — full AST, CFG, and data flow graphs |
| MCP integration | Yes — native, purpose-built | GitHub Advanced Security maintains a development MCP server (for writing queries, not scanning) |
| AI remediation loop | Yes — AI fixes and re-verifies automatically | Copilot Autofix suggests AI-generated fixes for CodeQL alerts in PRs |
| CWE coverage | CWE-79, CWE-89 (extensible) | Hundreds of CWEs |
| Language support | Python, JavaScript | 12+ compiled and interpreted languages |
| Cost | Free tier available | Free for open source; GitHub Advanced Security for private repos |
To be fair.
CodeQL builds a full relational database from your code — AST, control flow graphs, data flow graphs, type hierarchies. Its query language can express extremely sophisticated vulnerability patterns that go far beyond simple pattern matching.
CodeQL analyzes your entire codebase at once, following data flows across files and modules. Acutis verifies individual snippets — it catches vulnerabilities at generation time, but doesn't have full codebase context.
CodeQL powers GitHub code scanning for millions of repositories. It's the gold standard for SAST in CI/CD pipelines, with years of query refinement and a large community.
CodeQL is the best SAST tool for CI/CD. Acutis is purpose-built for the AI coding loop. Use CodeQL to scan your full codebase after commits. Use Acutis to catch vulnerabilities before they're even committed. They protect different stages of the development lifecycle.