CodeQL 2.22.3 (2025-08-06)¶
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.
Security Coverage¶
CodeQL 2.22.3 runs a total of 476 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 130 queries (covering 32 more CWE). 2 security queries have been added with this release.
CodeQL CLI¶
New Features¶
The
codeql database cleanupcommand now takes the--cache-cleanup=overlayoption, which trims the cache to just the data that will be useful when evaluating against an overlay.
Query Packs¶
Minor Analysis Improvements¶
C/C++¶
The “Initialization code not run” query (
cpp/initialization-not-run) no longer reports an alert on static global variables that have no dereference.
Rust¶
Type inference now supports closures, calls to closures, and trait bounds using the
FnOncetrait.Type inference now supports trait objects, i.e.,
dyn Traittypes.Type inference now supports tuple types.
New Queries¶
Rust¶
Added a new query,
rust/hard-coded-cryptographic-value, for detecting use of hardcoded keys, passwords, salts and initialization vectors.
Language Libraries¶
Minor Analysis Improvements¶
C/C++¶
The
cpp/overrun-writequery now recognizes more bound checks and thus produces fewer false positives.
JavaScript/TypeScript¶
The regular expressions in
SensitiveDataHeuristics.qllhave been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Python¶
The regular expressions in
SensitiveDataHeuristics.qllhave been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Ruby¶
The regular expressions in
SensitiveDataHeuristics.qllhave been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Swift¶
The regular expressions in
SensitiveDataHeuristics.qllhave been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Rust¶
Removed deprecated dataflow extensible predicates
sourceModelDeprecated,sinkModelDeprecated, andsummaryModelDeprecated, along with their associated classes.The regular expressions in
SensitiveDataHeuristics.qllhave been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
New Features¶
C/C++¶
Exposed various SSA-related classes (
Definition,PhiNode,ExplicitDefinition,DirectExplicitDefinition, andIndirectExplicitDefinition) which were previously only usable inside the internal dataflow directory.
Java/Kotlin¶
Kotlin versions up to 2.2.2x are now supported.