CodeQL 2.16.3: AI-powered autofixes for Python, updated queries, and security fixes

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

  • CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
  • A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
  • A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
  • Two new queries:
  • The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

We’ve started the rollout for enabling push protection on all free user accounts on GitHub. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

It might take a week or two for this change to apply to your account; you can verify status and opt-in early in your code security and analysis settings. Once enabled, you also have the option to opt-out. Disabling push protection may cause secrets to be accidentally leaked.

See more

Enterprise accounts now have a new root navigational experience, landing all users on an Enterprise Overview. Within this new page, GitHub Enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The Organization page still exists and can be found within the left-hand navigation of the enterprise account. This new experience is available on GitHub.com today and will be included in GitHub Enterprise Server 3.13.

To learn more, read our documentation on creating a README for an enterprise. To provide feedback about what you’d like to see on this new page, you may do so at anytime by clicking Give Feedback on the right-hand side of the new overview page, above the README.

See more