Semantic code analysis
heyGRC and CodeQL
CodeQL is a powerful security-analysis engine: it treats code as data and runs semantic queries to trace dataflow and find vulnerabilities. heygrc is not another vulnerability engine; it reviews a change against your compliance frameworks and names the control it touches. A vulnerability query and a compliance control answer different questions, so the two complement each other.
What CodeQL focuses on
- Semantic, dataflow-based analysis of code for security issues.
- A query language for expressing vulnerability patterns.
- Deep analysis across a codebase's structure.
What heygrc adds alongside it
- Whether a change touches a framework control, cited at the clause, alongside the security analysis.SOC 2 CC6.7 in code→
- A compliance reading mapped to the framework you are audited on, expressed as the specific control.
- A compliance-control reading for logging, retention, and access obligations.ISO 27001 A.8.15 in code→
Use them together
Let CodeQL run the deep security analysis; let heygrc tell you when a change touches a compliance control.