CodeQL documentation

CodeQL 2.12.6 (2023-04-04)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.12.6 runs a total of 386 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 1 security query has been added with this release.


Bug Fixes

  • Fixed a bug in codeql database analyze and related commands where the --max-paths option was not respected correctly when multiple alerts with the same primary code location were grouped together. (This grouping is the default behavior unless the --no-group-alerts option is passed.) This bug caused some SARIF files produced by CodeQL to exceed the limits on the number of paths (threadFlows) accepted by code scanning, leading to errors when uploading results.

New Features

  • Several experimental subcommands have been added in support of the new code scanning tool status page. These include codeql database add-diagnostic, codeql database export-diagnostics, and the codeql diagnostic add and codeql diagnostic export plumbing subcommands.

Known Issues

  • We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with codeql github upload-results. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1.

    This issue occurs when uploading certain kinds of diagnostic information and causes the subcommand to fail with “A fatal error occurred: Invalid SARIF.”, reporting an InvalidDefinitionException.

    Customers who wish to use CodeQL 2.12.6 or 2.13.0 can work around the problem by passing --no-sarif-include-diagnostics to any invocations of codeql database analyze or codeql database interpret-results.

Query Packs

Minor Analysis Improvements


  • rb/sensitive-get-query no longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.
  • © GitHub, Inc.
  • Terms
  • Privacy