CodeQL documentation

CodeQL 2.12.4 (2023-03-09)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.12.4 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 122 queries (covering 31 more CWE).


Breaking Changes

  • The default value of the --mode switch to codeql pack install has changed. The default is now --mode minimal-update. Previously, it was use-lock.


  • The --freeze switch for codeql pack create, codeql pack bundle, and codeql pack publish is now deprecated and ignored, as there is no longer a cache within a pack.
  • The --mode update switch to codeql pack resolve-dependencies is now deprecated. Instead, use the new --mode upgrade switch, which has identical behavior.
  • The --mode switch to codeql pack install is now deprecated.
    • Instead of --mode update, use codeql pack upgrade.
    • Instead of --mode verify, use codeql pack ci.

New Features

  • The per-pack compilation cache has been replaced with a global compilation cache found within ~/.codeql.
  • codeql pack install now uses a new algorithm to determine which versions of the pack’s dependencies to use, based on the PubGrub algorithm. The new algorithm is able to find a solution for many cases that the previous algorithm would fail to solve. When the new algorithm is unable to find a valid solution, it generates a detailed error message explaining why there is no valid solution.
  • Added a new command, codeql pack upgrade. This command is similar to codeql pack install, except that it ignores any existing lock file, installs the latest compatible version of each dependency, and writes a new lock file. This is equivalent to codeql pack install --mode update. Note that the --mode switch to codeql pack install is now deprecated.
  • Added a new command, codeql pack ci. This command is similar to codeql pack install, except if the existing lock file is missing, or if it conflicts with the version constraints in the qlpack.yml file, the command generates an error. This is equivalent to codeql pack install --mode verify. Note that the --mode switch to codeql pack install is now deprecated.

Query Packs

Minor Analysis Improvements


  • The query go/incorrect-integer-conversion now correctly recognizes guards of the form if val <= x to protect a conversion uintX(val) when x is in the range (math.MaxIntX, math.MaxUintX].


  • The js/regex-injection query now recognizes environment variables and command-line arguments as sources.

Language Libraries

Breaking Changes


  • The CryptographicOperation concept has been changed to use a range pattern. This is a breaking change and existing implementations of CryptographicOperation will need to be updated in order to compile. These implementations can be updated by:
    1. Extending CryptographicOperation::Range rather than CryptographicOperation
    2. Renaming the getInput() member predicate as getAnInput()
    3. Implementing the BlockMode getBlockMode() member predicate. The implementation for this can be none() if the operation is a hashing operation or an encryption operation using a stream cipher.

Major Analysis Improvements


  • We use a new analysis for the call-graph (determining which function is called). This can lead to changed results. In most cases this is much more accurate than the old call-graph that was based on points-to, but we do lose a few valid edges in the call-graph, especially around methods that are not defined inside its class.

Minor Analysis Improvements


  • The query cs/static-field-written-by-instance is updated to handle properties.
  • C# 11: Support for explicit interface member implementation of operators.
  • The extraction of member modifiers has been generalized, which could lead to the extraction of more modifiers.
  • C# 11: Added extractor and library support for file scoped types.
  • C# 11: Added extractor support for required fields and properties.
  • C# 11: Added library support for checked operators.


  • Added new sinks for java/hardcoded-credential-api-call to identify the use of hardcoded secrets in the creation and verification of JWT tokens using com.auth0.jwt. These sinks are from an experimental query submitted by @luchua.
  • The Java extractor now supports builds against JDK 20.
  • The query java/hardcoded-credential-api-call now recognizes methods that accept user and password from the SQLServerDataSource class of the Microsoft JDBC Driver for SQL Server.


  • Fixed module resolution so we properly recognize definitions made within if-then-else statements.
  • Added modeling of cryptographic operations in the hmac library.


  • Flow is now tracked between ActionController before_filter and after_filter callbacks and their associated action methods.
  • Calls to ApplicationController#render and ApplicationController::Renderer#render are recognized as Rails rendering calls.
  • Support for Twirp framework.
  • © GitHub, Inc.
  • Terms
  • Privacy