CodeQL documentation

CodeQL 2.9.4 (2022-06-20)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.9.4 runs a total of 335 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE).


New Features

  • Users of CodeQL Packaging Beta can now optionally authenticate to Container registries on GitHub Enterprise Server (GHES) versions 3.6 and later using standard input instead of the CODEQL_REGISTRIES_AUTH environment variable. To authenticate via standard input, pass --registries-auth-stdin. The value you provide will override the value of the CODEQL_REGISTRIES_AUTH environment variable.

Language Libraries

Minor Analysis Improvements


  • Calls to and have been added as FileSystemAccess sinks. As a result queries like rb/path-injection now flag up cases where users may access arbitrary archive files.

New Features


  • An isBraced predicate was added to the Initializer class which holds when a C++ braced initializer was used in the initialization.
  • © GitHub, Inc.
  • Terms
  • Privacy