CodeQL 2.16.3: AI-powered autofixes for Python, updated queries, and security fixes

March 1, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
Two new queries:
- java/android/insecure-local-authentication for finding uses of biometric authentication APIs that do not make use of a Keystore-backed key and thus may be bypassed.
- swift/unsafe-unpacking, that detects code which extracts user-controlled zip archives without validating that the contents of the zip file are not extracted outside the destination directory.
The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Push protection is enabled for free users on GitHub

February 29, 2024

We’ve started the rollout for enabling push protection on all free user accounts on GitHub. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

It might take a week or two for this change to apply to your account; you can verify status and opt-in early in your code security and analysis settings. Once enabled, you also have the option to opt-out. Disabling push protection may cause secrets to be accidentally leaked.

Read the blog post
Learn more about secret scanning
Learn more about push protection for users
Join the discussion within GitHub Community

See more See more

Enterprise READMEs

February 28, 2024

Enterprise accounts now have a new root navigational experience, landing all users on an Enterprise Overview. Within this new page, GitHub Enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The Organization page still exists and can be found within the left-hand navigation of the enterprise account. This new experience is available on GitHub.com today and will be included in GitHub Enterprise Server 3.13.

To learn more, read our documentation on creating a README for an enterprise. To provide feedback about what you’d like to see on this new page, you may do so at anytime by clicking Give Feedback on the right-hand side of the new overview page, above the README.

See more See more

View all changes