codeql

Subscribe to all “codeql” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

CodeQL support for Java and C# private registries is now generally available

When CodeQL scans repositories with Java and/or C# code that depend on packages in private registries—but don’t include those registry addresses in their Maven, Gradle, or NuGet configuration files—the analysis now uses private registry addresses configured at the organization level. This makes it even easier to roll out CodeQL’s Java and C# analysis at scale.

Last year we enabled CodeQL build-mode: none scans to access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This required the addresses of the private registry to be defined in the project configuration. With this change, projects that relied on configurations defined in the build systems or locations external to the project will be able to use private registries.

This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.

This officially marks the end of the preview phase for CodeQL Java/C# private registry support; this feature is now generally available on GitHub.com. It will also roll out with GitHub Enterprise server version 3.18.

See more

CodeQL 2.21.0 supports TypeScript 5.8 and expands language coverage

CodeQL version 2.21.0 has been released and includes TypeScript 5.8 support, a new Java query to detect exposed Spring Boot actuators, and support for new JavaScript libraries.

TypeScript 5.8 support

CodeQL can now analyze code written in TypeScript version 5.8, helping you find and automatically remediate security issues in the latest TypeScript projects, all without additional configuration.

Improved Java analysis

The community-contributed query java/spring-boot-exposed-actuators by @ggolawski has been promoted out of experimental status and is now included in the default code scanning query pack. This query helps you identify publicly accessible Spring Boot actuators, preventing unintended information disclosure.

Expanded JavaScript framework coverage

We’ve extended our JavaScript analysis to include popular modern frameworks and libraries:

  • Apollo Server: Added support for analyzing data coming from GraphQL when using @apollo/server.
  • React Relay: Added analysis support for React applications using the react-relay library.
  • SAP ecosystem: Added CodeQL support for analysis of SAP packages, including @sap/hana-client, @sap/hdbext, and hdb.
  • TanStack: Added support for analyzing applications using the @tanstack/angular-query-experimental package.

For a full list of changes, please refer to the complete changelog for version 2.21.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.0 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Removing hardcoded secrets detection from CodeQL

Starting May 30, 2025, CodeQL will no longer generate code scanning alerts for hardcoded secrets. Instead, we recommend using secret scanning to detect hardcoded secrets in your repositories, which has greater precision and recall than CodeQL. Secret scanning is a feature of GitHub Secret Protection.

Learn more about secret scanning, which scans your repositories for over 300 hardcoded secrets and uses Copilot to detect generic passwords. By using this detection instead of CodeQL, all your alerts for hardcoded secrets can be managed in one place.

What’s changing?

We’re disabling CodeQL detection of hardcoded secrets on May 30, 2025. This aligns with the release of CodeQL 2.21.4. We’ll post a follow-up notice to the GitHub changelog when this is complete. Once these checks are disabled, the next time your repository is analyzed using CodeQL, any code scanning alerts for hardcoded secrets will close. These alerts will stay in your historical security alert backlog.

These changes will also be included with GHES 3.18.

The following CodeQL queries will be disabled:

  • js/hardcoded-credentials
  • swift/hardcoded-key
  • swift/constant-password
  • cs/password-in-configuration
  • cs/hardcoded-credentials
  • js/password-in-configuration-file
  • py/hardcoded-credentials
  • go/hardcoded-credentials
  • rb/hardcoded-credentials
  • cs/hardcoded-connection-string-credentials
  • java/password-in-configuration

Why are we doing this?

The hardcoded secrets queries in CodeQL are redundant to the capabilities of secret scanning, which can result in duplicate alerts for the same secret. This creates unnecessary effort spent on manual deduplication of secret scanning and code scanning alerts. Secret scanning has superior accuracy and recall for detecting hardcoded secrets and provides additional metadata that’s helpful for remediation.

How do I get started?

Check out this introduction to getting started with GitHub Secret Protection:

Watch this video to learn more about deploying and managing Secret Protection at scale:

See more

Security campaigns are now generally available to help address security debt at scale

Security campaigns are now generally available

Security campaigns with Copilot Autofix are now generally available. As part of GitHub Code Security, you can use security campaigns to prioritize and rapidly reduce your backlog of application security debt. Copilot Autofix generates contextual explanations and fixes for historical code scanning alerts in a security campaign, which help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

With the help of GitHub’s CodeQL and Copilot Autofix, it has never been easier to prevent new vulnerabilities from being added to your code. However, if you don’t address vulnerabilities discovered in already-merged code, security debt can build up and pose a serious risk to deployed applications.

A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate security debt. Security teams can monitor the progress of the campaign and track the number of fixed alerts. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.

Starting today, you can also access these new features to plan and manage security campaigns more effectively:

  • Draft security campaigns: Security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
  • Automated GitHub issues: Security managers can optionally create GitHub issues in repositories that have alerts included in the campaign. These issues are created and automatically updated as the campaign progresses and can be used by teams to track, manage, and discuss campaign-related work.
  • Organization-level security campaign statistics: Security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.

Security campaigns are available for users of GitHub Code Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.

If you have any feedback on security campaigns, join the discussion in GitHub Community.

See more

CodeQL adds support for Java 24 and other improvements in version 2.20.6

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new version of Java and a variety of other improvements that improve the accuracy of your code scanning results:

Java

  • CodeQL now supports Java version 24
  • We’ve improved the accuracy of the (java/xss) query when javax.servlet.http.HttpServletResponse is used without an exploitable content type

JavaScript / TypeScript

  • We’ve added support for the response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.
  • We’ve improved the precision of data flow through arrays and call resolution logic, both resulting in improved analysis results

C/C++

  • We’ve improved the accuracy of the cpp/static-buffer-overflow query, resulting in improved results

C#

  • We’ve improved the precision of the cs/call-to-object-tostring query, resulting in improved analysis results

GitHub Actions (Public Preview)

  • We’ve removed the query actions/unversioned-immutable-action from the public suite of queries, which will close any alerts triggered from it

For a full list of changes, please refer to the complete changelog for version 2.20.6. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Java CSRF, Go 1.24 and C# 13 language features support available in CodeQL 2.20.5

CodeQL version 2.20.5 has been released and includes a host of coverage improvements, including extended support for C# 13 and new detection capabilities for Java and GitHub Actions workflow files.

CodeQL is the static analysis engine that powers GitHub code scanning, which finds and remediates security issues in your code.

CodeQL 2.20.5 adds full support for new language features introduced in C# 13 / .NET 9, as well improved coverage for .NET 9. This will improve the detection of alerts and reduce the chance of false negative results.

CodeQL Java analysis is improved with additional support for Cross Site Request Forgery (CSRF). The new analysis capability detects vulnerabilities that occur when using HTTP request types that are not protected against cross site requests by default.

Go analysis has been updated to support Go 1.24, which includes new language features and improvements. This will improve the detection of alerts and reduce the chance of false negative results.

For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Improved code scanning coverage for GitHub Actions (Public Preview)

We recently launched analysis capabilities for GitHub Actions workflow files in public preview.

With the release of CodeQL 2.20.5, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.

The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:

  • actions/envpath-injection/medium detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate the PATH environment variable. This could allow an attacker to alter the execution of system commands.
  • actions/envvar-injection/medium detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or {delimiters}.
  • actions/code-injection/medium– detects situation where user-controlled input can end up in contexts like run: or script:, leading to malicious code being executed and secrets being leaked.
  • actions/artifact-poisoning/medium detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.
  • actions/untrusted-checkout/medium detects situations where workflows triggered by events like pull_request_target or issue_comment can execute arbitrary code from untrusted sources, if followed by an explicit checkout.

Because of its lower precision and the large number of alerts it generates, the query actions/unpinned-tag has been moved to the security-extended query suite from the default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.

Three queries have been removed from the default and security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.

These changes are now available with the release of CodeQL 2.20.5. For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

It is easier to track your progress with fixed code scanning CodeQL security alerts on the Security Overview page

Now it is easier to see how many of your historical CodeQL alerts received autofix suggestions and how many of those alerts were resolved across all the repositories in your organization.

Historical alerts are those found in your default and protected branches, indicating potential existing security issues in your code. You can stay informed about the progress of historical alert resolution and expediting this process as it is essential for accurately assessing your security risks.

Screenshot of total alerts fixed with an accepted autofix out of all with a suggested autofix.

The new “Alerts fixed with autofix suggestions” tile on the Security Overview provides you with the total number of fixed vulnerabilities compared to the total suggested autofixes for existing alerts. This will help you stay informed about the security trends in your organization.

Learn more about Copilot Autofix for CodeQL code scanning and security overview.

To leave feedback for Copilot Autofix for code scanning, join the discussion.

See more

Copilot Autofix is available for more code scanning alerts

Copilot Autofix helps you fix code scanning alerts and avoid introducing new security vulnerabilities by using large language models to suggest potential fixes.

We recently expanded the range of CodeQL security alerts where Copilot can suggest an autofix, covering a group that accounts for 29% of all CodeQL alerts. This expansion led to an 8% overall increase in alerts with an available autofix and a 270% increase in autofixes for this specific group of improved alerts. With more autofix suggestions, you can resolve security issues identified by CodeQL more easily—either by applying Copilot’s suggested fix directly or using it as a starting point for your own edits.

We made these improvements by analyzing our usage data to understand the most common types of alerts where Copilot was not suggesting fixes and then made a targeted effort to improve autofix for these alerts. Read more about the testing process that GitHub uses to identify the quality of autofix suggestions.

We continuously evaluate the performance of CodeQL and Copilot Autofix, so look for more improvements in the future.

See more

CodeQL performance and coverage improvements in recent releases

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. The CodeQL engine has become faster, covers 28 more security queries, supports more ecosystems, and can now scan GitHub Actions (public preview)—among various other bug fixes and small improvements.

All of these improvements were automatically rolled out to code scanning users in the past few months. For users of the CodeQL CLI, here are some highlights of the past few CodeQL releases:

  • CodeQL 2.20.46 February 2025
    • Analysis support for GitHub Actions workflow files is now in public preview, and therefore the use of the actions language (for analysis of GitHub Actions workflows) no longer requires the CODEQL_ENABLE_EXPERIMENTAL_FEATURES environment variable to be set.
    • All experimental queries for C#, Java, and Kotlin have been migrated to the default query suite in the CodeQL community packs that are managed by GitHub Security Lab.
  • CodeQL 2.20.324 January 2025
    • Resolves a security vulnerability where CodeQL databases or logs produced by the CodeQL CLI may contain the environment variables from the time of database creation. This includes any secrets stored in an environment variables. For more information, see the CodeQL CLI security advisory.
  • CodeQL 2.20.222 January 2025
    • All data flow queries have been standardized on a single data flow library, which may result in differences for JavaScript and TypeScript analysis.
    • CodeQL databases now take 2-3x less space on disk, which makes them faster to transfer and read/manipulate. This is thanks to a new compressed database format.
  • CodeQL 2.20.19 January 2025
    • CodeQL is now easier to set up and roll out: automatic build command detection with automatic dependency installation for C/C++ is now supported on Ubuntu 24.04.
    • A new Server Side Template Injection query for Python has been released, thanks to a community contribution.
    • Swift 6.0.2 is now supported.
  • CodeQL 2.19.42 December 2024
  • CodeQL 2.19.37 November 2024
    • Analysis for .NET 8 and JDK 17 has been improved.
    • The CodeQL Bundle is now available as an artifact that is compressed using Zstandard. This artifact is smaller and faster to decompress than the original, gzip-compressed bundle. The CodeQL bundle is a tar archive containing tools, scripts, and various CodeQL-specific files.
  • CodeQL 2.19.221 October 2024
    • Analysis of Python apps now has significantly faster extraction and analysis times.
  • CodeQL 2.19.14 October 2024
    • Java 23 is now supported.
    • A new command, codeql resolve packs, shows each step in the pack search process, including what packs were found in each step.

Detailed changelogs for every CodeQL release are available in the CodeQL documentation, and new CodeQL releases occur roughly every two weeks.

For GitHub Enterprise Server customers: All new functionality from CodeQL releases 2.19.0 through 2.20.3 will be included in GHES 3.16 and the latest patch versions of 3.12-3.15. Functionality from 2.20.3 and later 2.20.X versions will be included in 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Edit and validate Copilot Autofix suggestions with Copilot Workspace

Copilot Autofix suggestions for code scanning alerts can now be edited and validated using Copilot Workspace for pull requests.

Copilot Workspace for Copilot Autofix for code scanning

With this, GitHub Advanced Security users can:

  • Review and integrate Copilot Autofix suggestions within the context of the pull request, benefiting from an improved diff-viewing experience.
  • Refine and address code scanning alerts directly within the pull request, utilizing an enhanced code editing experience.
  • Build, test, and run proposed changes in the pull request without impacting your personal build and test environment.

All GitHub Advanced Security users can use this feature in private repositories on GitHub.com. A Copilot license is not required.

To learn more about code scanning alerts and Copilot Autofix, see About Copilot Autofix for CodeQL code scanning. If you have feedback regarding Copilot Autofix for code scanning, please join the discussion here.

See more

Recent improvements to security campaigns with Copilot Autofix (public preview)

We’re releasing various improvements to security campaigns to help security teams and developers collaborate more effectively to resolve security debt with the help of Copilot Autofix.

Security campaigns with Copilot Autofix were released in public preview at GitHub Universe.

Available as part of GitHub Advanced Security, security campaigns help you rapidly reduce your backlog of application security debt. With security campaigns, you can make sure your developers focus on the most important security alerts across your portfolio. Copilot Autofix also automatically generates contextual explanations and suggests fixes for alerts in a campaign.

Today we are announcing multiple improvements based on the customer feedback we have received during the security campaigns public preview:

  • The repository limit for security campaigns has increased from 100 to 1000, making it easier to create campaigns from more of your critical repositories.
  • Multiple users or teams can now be specified as campaign managers, giving application security teams greater flexibility in assigning responsibility for monitoring campaign progress and collaborating with developers on fixing alerts.
  • We’ve added a new contact link field in the security campaigns user interface to facilitate better communication between security teams and developers during campaigns.
  • Email notifications are now consolidated when security campaigns are created or closed. Developers watching multiple repositories included in the same campaign will receive a single email including details of all relevant repositories rather than one email per repository.
  • Security campaigns are available for users of GitHub Advanced Security on GitHub Enterprise Cloud.

For more information about security campaigns, see About security campaigns in the GitHub documentation. If you have any feedback on security campaigns, join the discussion in the GitHub Community.

See more

Code scanning caches dependencies for Java, Go & C#

GitHub Code Scanning powered by CodeQL now supports dependency caching for Java, Go, and C# projects. This feature ensures that scans can deliver meaningful results even if registries are temporarily unavailable, while also reducing overall scanning time after the cache is established.

Dependency Caching Availability:

  • Default Setup: For repositories using GitHub-hosted runners, dependency caching is automatically enabled for both public and private repositories during scans.
  • Advanced Setup: Users with custom configurations can manually enable dependency caching as needed.

This is now available on github.com.

See more

Code scanning: CodeQL Action v2 is now retired

On December 13, 2023, we released CodeQL Action v3, which runs on the Node.js 20 runtime. In January 2024, we announced that CodeQL Action v2 would be retired at the same time as GitHub Enterprise Server (GHES) 3.11. This retirement period has elapsed and CodeQL Action v2 is now discontinued. It will no longer be updated or supported, and while we will not be deleting it except in the case of a security vulnerability, workflows using it may eventually break. New CodeQL analysis capabilities will only be available to users of v3.

For more information about this retirement, please see the original retirement announcement from January 2024.

How does this affect me?

Default setup

Users of code scanning default setup do not need to take any action in order to automatically move to CodeQL Action v3.

Advanced setup

Users of code scanning advanced setup need to change their workflow files in order to start using CodeQL Action v3.

Users of GitHub.com and GitHub Enterprise Server 3.12 (and newer)

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

  • GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
  • GitHub Enterprise Server (GHES) 3.12 (and newer)

Users of the above-mentioned platforms should update their CodeQL workflow file(s) to refer to the new v3 version of the CodeQL Action. Note that the upcoming release of GitHub Enterprise Server 3.12 will ship with v3 of the CodeQL Action included.

Users of GitHub Enterprise Server 3.11 (and older)

GitHub Enterprise Server 3.11 (and older) is now retired. For more information on using the CodeQL Action on a retired GitHub Enterprise Server version, refer to the relevant sections of the CodeQL Action v2 retirement announcement.

Exactly what do I need to change?

To upgrade to CodeQL Action v3, open your CodeQL workflow file(s) in the .github directory of your repository and look for references to:

  • github/codeql-action/init@v2
  • github/codeql-action/autobuild@v2
  • github/codeql-action/analyze@v2
  • github/codeql-action/upload-sarif@v2

These entries need to be replaced with their v3 equivalents:

  • github/codeql-action/init@v3
  • github/codeql-action/autobuild@v3
  • github/codeql-action/analyze@v3
  • github/codeql-action/upload-sarif@v3

Can I use Dependabot to help me with this upgrade?

Yes, you can! For more details on how to configure Dependabot to automatically upgrade your Actions dependencies, please see this page.

See more

Organization Private Registry Configuration for Java and C# CodeQL Scans

CodeQL build-mode: none scans can now access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.

Previously, build-mode: none code scans with the default setup were unable to fetch code for dependent packages stored in private registries, which could result in incomplete analysis. Now, organization administrators can configure access credentials for private registries at the organization level. This enhancement allows CodeQL scans in child repositories to retrieve all necessary dependencies, enabling comprehensive code analysis when using the code scanning default setup.

This feature is currently in public preview for GitHub Advanced Security customers.

See more
View more changes