CodeQL documentation
CodeQL resources

CodeQL 2.23.1 (2025-09-23)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.23.1 runs a total of 478 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release.

CodeQL CLI

New Features

  • CodeQL now adds the sources and sinks of path alerts to the relatedLocations property of SARIF results if they are not included as the primary location or within the alert message. This means that path alerts will show on PRs if a source or sink is added or modified, even for queries that don’t follow the common convention of selecting the sink as the primary location and mentioning the source in the alert message.

  • CodeQL now populates file coverage information for GitHub Actions on the tool status page for code scanning.

Query Packs

Bug Fixes

C/C++

  • The predicate occurenceCount in the file module MagicConstants has been deprecated. Use occurrenceCount instead.

  • The predicate additionalAdditionOrSubstractionCheckForLeapYear in the file module LeapYear has been deprecated. Use additionalAdditionOrSubtractionCheckForLeapYear instead.

C#

  • The message for csharp/diagnostic/database-quality has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.

Java/Kotlin

  • The message for java/diagnostic/database-quality has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.

Rust

  • The message for rust/diagnostic/database-quality has been updated to include detailed database health metrics. These changes are visible on the tool status page.

Major Analysis Improvements

C/C++

  • The queries cpp/wrong-type-format-argument, cpp/comparison-with-wider-type, cpp/integer-multiplication-cast-to-long, cpp/implicit-function-declaration and cpp/suspicious-add-sizeof have had their precisions reduced from high to medium. They will also now give alerts for projects built with build-mode: none.

  • The queries cpp/wrong-type-format-argument, cpp/comparison-with-wider-type, cpp/integer-multiplication-cast-to-long and cpp/suspicious-add-sizeof are no longer included in the code-scanning suite.

Java/Kotlin

  • The implementation of java/dereferenced-value-may-be-null has been completely replaced with a new general control-flow reachability library. This improves precision by reducing false positives. However, since the entire calculation has been reworked, there can be small corner cases where precision regressions might occur and new false positives may occur, but these cases should be rare.

JavaScript/TypeScript

  • Added support for TypeScript 5.9

  • Added support for import defer syntax in JavaScript and TypeScript.

Minor Analysis Improvements

C#

  • The query cs/call-to-object-tostring has been improved to remove false positives for enum types.

JavaScript/TypeScript

  • Data flow is now tracked through the Promise.try and Array.prototype.with functions.

  • Query js/index-out-of-bounds no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.

  • The query js/remote-property-injection now detects property injection vulnerabilities through object enumeration patterns such as Object.keys().

  • The query “Permissive CORS configuration” (js/cors-permissive-configuration) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who submitted the original experimental query!

Python

  • The queries py/missing-call-to-init, py/missing-calls-to-del, py/multiple-calls-to-init, and py/multiple-calls-to-del queries have been modernized; no longer relying on outdated libraries, producing more precise results with more descriptive alert messages, and improved documentation.

GitHub Actions

  • Actions analysis now reports file coverage information on the CodeQL status page.

Deprecated Queries

C#

  • The query cs/captured-foreach-variable has been deprecated as the semantics of capturing a ‘foreach’ variable and using it outside the loop has been stable since C# version 5.

New Queries

Rust

  • Added a new query, rust/request-forgery, for detecting server-side request forgery vulnerabilities.

Language Libraries

Minor Analysis Improvements

Golang

  • The second argument of the CreateTemp function, from the os package, is no longer a path-injection sink due to proper sanitization by Go.

  • The query “Uncontrolled data used in path expression” (go/path-injection) now detects sanitizing a path by adding os.PathSeparator or \ to the beginning.

Java/Kotlin

  • Improved support for various assertion libraries, in particular JUnit. This affects the control-flow graph slightly, and in turn affects several queries (mainly quality queries). Most queries should see improved precision (new true positives and fewer false positives), in particular java/constant-comparison, java/index-out-of-bounds, java/dereferenced-value-may-be-null, and java/useless-null-check. Some medium precision queries like java/toctou-race-condition and java/unreleased-lock may see mixed result changes (both slight improvements and slight regressions).

  • Added taint flow model for java.crypto.KDF.

  • Added taint flow model for java.lang.ScopedValue.

JavaScript/TypeScript

  • Added modeling for promisification libraries @gar/promisify, es6-promisify, util.promisify, thenify-all, call-me-maybe, @google-cloud/promisify, and util-promisify.

  • Data flow is now tracked through promisified user-defined functions.

Swift

  • Updated to allow analysis of Swift 6.1.3.

Rust

  • Added cryptography related models for the cookie and biscotti crates.

Deprecated APIs

C/C++

  • The predicate getAContructorCall in the class SslContextClass has been deprecated. Use getAConstructorCall instead.

New Features

C/C++

  • Added predicates getTransitiveNumberOfVlaDimensionStmts, getTransitiveVlaDimensionStmt, and getParentVlaDecl to VlaDeclStmt for handling VlaDeclStmts whose base type is defined in terms of another VlaDeclStmt via a typedef.

Java/Kotlin

  • The Java extractor and QL libraries now support Java 25.

  • Added support for Java 25 compact source files (JEP 512). The new predicate Class.isImplicit() identifies classes that are implicitly declared when using compact source files, and the new predicate CompilationUnit.isCompactSourceFile() identifies compilation units that contain compact source files.

  • Added support for Java 25 module import declarations.

  • Add ModuleImportDeclaration class.

  • © GitHub, Inc.
  • Terms
  • Privacy