CodeQL updates from the first half of 2023

CodeQL is the analysis engine that powers GitHub code scanning for over 100,000 repositories. We continuously improve our analysis capabilities, language support and performance to help open source developers and enterprises catch vulnerabilities before they make their way into production code. CodeQL is also an instrumental tool for the security researcher community and was used to identify 36 new CVE.

We release updates and improvements for CodeQL on a regular basis. We don’t get to call out all the improvements, but we want to highlight some of the most important updates we’ve shipped for CodeQL in the first half of the year:

  • Shortly before WWDC in June, we added beta support for Swift, which together with Kotlin completes CodeQL’s support for next-generation mobile development.
  • We’ve updated CodeQL to support these new language versions (view all): Swift 5.8.1, C#11 , .NET 7, Kotlin 1.8, Go 1.20, TypeScript 5.0 & 5.1, Ruby 3.2, Java 20.
  • We saw a 16% average performance improvement for CodeQL analyses.
  • We improved CodeQL modelling for popular Ruby libraries (SQLite, MySQL, Rack) and added coverage for more than 5000 API methods in Java, increasing analysis coverage and reducing false negatives.
  • We released a new mechanism called default setup, to configure CodeQL at the repo and the organization level.
  • We added 4 new memory-corruption queries for C/C++, 6 new queries for Java, 1 for Python and adjusted over 100 queries across all languages.
  • We started showing actionable information on the tool status page.
  • Enabled scanning Python repositories without installing dependencies.
  • We made the release process faster, 1 week, and optimised the roll-out strategy to get you on the latest release as quick as possible, benefiting from the latest updates in CodeQL.
  • Deprecated CodeQL Action v1 and enabled Dependabot to automatically move you to a newer version.

These features have been shipped across multiple versions of CodeQL from 2.12.0 up to 2.14.0, which are shipped with GHES 3.9 and upcoming 3.10. All users of CodeQL code scanning on GitHub.com automatically benefit from the latest improvements.

Today, we are announcing public beta of the new experience for deployments across environments. 🎉

Developers and DevOps managers can now view and track the full history of deployments in a repository or filter them across environments to:

  • view active deployments across various environments and navigate to the deployment URLs or
  • understand who and what commits, PRs triggered a deployment in a given environment or
  • monitor the deployment status and duration of deployments or
  • trace any deployment to its source workflow and view logs to diagnose any issues or review any pending approvals etc.

New Deployment views

Learn more about viewing deployments in your repository through our documentation and watching this video.

For questions, visit the GitHub Actions community.
To see what’s next for Actions, visit our public roadmap.

See more

Starting today, publishing with provenance is restricted to public source repositories only. Private source repositories are no longer supported for use with provenance for public packages.

As announced on July 11, 2023: npm will verify the linked source commit and repository when users view a package's provenance information on npmjs.com. If the linked source commit or repository cannot be found, an error will be displayed. This can occur if a repository is deleted or if it is made private.

Read more about viewing npm provenance and publishing with provenance.

See more