Skip to content

Code scanning is now more adaptable to your codebase with CodeQL threat model settings for Java (beta)

Use CodeQL threat model settings for Java (beta) to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in your code.

No two codebases are the same and each is subject to different security risks and threats. Such risks and threats can be captured in a codebase's threat model which, in turn, depends on how the code has been designed and will be deployed. To understand the threat model you need to know what type of data is untrusted and poses a threat to the codebase. Additonally, you need to know how that unstrusted (or tainted) data interacts with the application. For example, one codebase might only consider data from remote network requests to be untrusted, whereas another might also consider data from local files to be tainted.

CodeQL can perform security analysis on all such codebases, but it needs to have the right context. It needs the threat model in order to behave slightly differently on different codebases. That way, CodeQL can include (or exclude) the appropriate sources of tainted data during its analysis, and flag up the most relevant security vulnerabilities to developers who work on the code.

CodeQL's default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. Using new CodeQL threat model settings for Java, you can now optionally mark local sources of data as tainted. This includes data from local files, command-line arguments, environment variables, and databases. You can enable the local threat model option in code scanning to help security teams and developers uncover and fix more potential security vulnerabilities in their code.

CodeQL threat model settings can be configured in repositories running code scanning with CodeQL via default setup in the GitHub UI. Alternatively, you can specify it through advanced setup (in an Actions workflow file).

If your repository is running code scanning default setup on Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.

Threat model setting in CodeQL default configuration

If your repository is running code scanning advanced setup on Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.

CodeQL threat model settings (beta) in code scanning default setup is available on for repositories containing Java code. It will be shipped in GitHub Enterprise Server 3.13.

The public beta Activity Overview of Organization Insights for GitHub Enterprise Cloud will be deprecated on January 5, 2024. Since its initial beta launch in 2019, the amount of data calculation and storage required for these views has proven untenable in its current format and the underlying service will be taken offline later in January. Metrics-specific integrations such as Cauldron are available to read, store, and visualize your organization’s data via the GitHub API, as well as more general-purpose data visualization platforms such as PowerBI or Grafana. The Dependency Insights feature will not be impacted.

See more

Code scanning default setup is now available for self-hosted runners on To use default setup for code scanning, assign the code-scanning label to your runner. Default setup now uses actions/github-script instead of the GH CLI. If your organization has a policy which limits GitHub Actions you will need to allow this action in your policy.

Code scanning sees assigned runners when default setup is enabled. As a result, if a runner is assigned to a repository which is already running default setup, you must disable and re-enable default setup to initiate using the runner.

Larger runners are in beta support, with the limitations that you can only define one single larger runner at the org level with the label code-scanning, and Swift analysis is not supported.

For more information, see “Using labels with self-hosted runners.”

Runner with code-scanning label

This is now available on Self-Hosted runners for default setup are already supported from GitHub Enterprise Server 3.9.

See more