diff --git a/pkgs/development/tools/analysis/codeql/default.nix b/pkgs/development/tools/analysis/codeql/default.nix
new file mode 100644
index 00000000000..e5770800199
--- /dev/null
+++ b/pkgs/development/tools/analysis/codeql/default.nix
@@ -0,0 +1,61 @@
+{ stdenv
+, fetchzip
+, zlib
+, xorg
+, freetype
+, alsaLib
+, jdk11
+, curl
+, lttng-ust
+, autoPatchelfHook
+}:
+
+stdenv.mkDerivation rec {
+  pname = "codeql";
+  version = "2.0.0";
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontStrip = true;
+
+  src = fetchzip {
+    url = "https://github.com/github/codeql-cli-binaries/releases/download/v${version}/codeql.zip";
+    sha256 = "1v6wzjdhfws77fr5r15s03f1ipzc1gh7sl8gvw1fb4pplpa2d08s";
+  };
+
+  nativeBuildInputs = [
+    zlib
+    xorg.libX11
+    xorg.libXext
+    xorg.libXi
+    xorg.libXtst
+    xorg.libXrender
+    freetype
+    alsaLib
+    jdk11
+    stdenv.cc.cc.lib
+    curl
+    lttng-ust
+    autoPatchelfHook
+  ];
+
+  installPhase = ''
+    # codeql directory should not be top-level, otherwise,
+    # it'll include /nix/store to resolve extractors.
+    mkdir -p $out/{codeql,bin}
+    cp -R * $out/codeql/
+
+    ln -sf $out/codeql/tools/linux64/lib64trace.so $out/codeql/tools/linux64/libtrace.so
+
+    sed -i 's;"$CODEQL_DIST/tools/$CODEQL_PLATFORM/java/bin/java";"${jdk11}/bin/java";' $out/codeql/codeql
+
+    ln -s $out/codeql/codeql $out/bin/
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Semantic code analysis engine";
+    homepage = "https://semmle.com/codeql";
+    maintainers = [ maintainers.dump_stack ];
+    license = licenses.unfree;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index fb46c31c7f0..48587be70b5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -813,6 +813,8 @@ in
 
   cloudflare-wrangler = callPackage ../development/tools/cloudflare-wrangler { };
 
+  codeql = callPackage ../development/tools/analysis/codeql { };
+
   container-linux-config-transpiler = callPackage ../development/tools/container-linux-config-transpiler { };
 
   ccextractor = callPackage ../applications/video/ccextractor { };