CodeQL documentation

CodeQL 2.14.3 (2023-08-25)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.14.3 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE).


Breaking Changes

  • The <run>.tool.extensions property in the SARIF generated by codeql database analyze now contains the following packs:

    • The containing query pack for each query that was evaluated.
    • Each model pack that was specified via the --model-packs option, regardless of whether that model pack affected any of the evaluated queries.

    Library packs are no longer included in the list.

    Previously, this property contained every query and library pack that was available on the search path, regardless of whether that pack was used during the evaluation.


  • The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
  • When codeql test generates .actual files, they will in some cases list the query predicates in a different order than past versions. There is no need to update .expected files, as codeql test sorts their results accordingly before diffing. However, when there are genuine changes in expected results, the generated .actual file can show additional changes against the .expected due to the reordering.

Language Libraries

Bug Fixes


  • Fixed the computation of locations for imports with aliases in jump-to-definition.

Major Analysis Improvements


  • Improved support for flow through captured variables that properly adheres to inter-procedural control flow.


  • Added DataFlow::CollectionContent, which will enable more accurate flow through collections.

Minor Analysis Improvements


  • The query library for cs/hardcoded-credentials now excludes benign properties such as UserNameClaimType and AllowedUserNameCharacters from Microsoft.AspNetCore.Identity options classes.


  • Modified the getSecureAlgorithmName predicate in Encryption.qll to also include SHA-256 and SHA-512. Previously only the versions of the names without dashes were considered secure.
  • Add support for WithElement and WithoutElement for MaD access paths.


  • Support analyzing packages (folders with python code) that do not have files, although this is technically required, we see real world projects that don’t have this.
  • Added modeling of AWS Lambda handlers that can be identified with AWS::Serverless::Function in YAML files, where the event parameter is modeled as a remote-flow-source.
  • Improvements of the aiohttp models including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.


  • Flow between positional arguments and splat parameters (*args) is now tracked more precisely.
  • Flow between splat arguments (*args) and positional parameters is now tracked more precisely.


  • Added local flow sources for UITextInput and related classes.
  • Flow through forced optional unwrapping (!) on the left side of assignment now works in most cases.
  • Type.getName now gets the name of the type alone without any enclosing types. Use Type.getFullName for the old behaviour.

Shared Libraries

Major Analysis Improvements

Dataflow Analysis

  • Initial release. Adds a library to implement flow through captured variables that properly adheres to inter-procedural control flow.

New Features

YAML Data Analysis

  • Added library for serverless functions. Currently used by JavaScript and Python.
  • © GitHub, Inc.
  • Terms
  • Privacy