CodeQL 2.16.4: AI-powered autofixes for Java, support for C# 12 & Go 1.22, new queries

March 12, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.

The number of generated autofixes is now also visible in a dedicated security overview tile:

security overview showing a counter of fix suggestions

Furthermore, this release

adds support for C# 12 and .NET 8,
adds support for Go 1.22 and improves file coverage of Go analyses for certain project setups,
adds a new Java query for finding instances of keys generated for biometric authentication in an insecure way, and
enables the NoSQL injection query for Python by default.

For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Secret scanning AI-generated custom patterns (public beta)

March 12, 2024

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

As of today, you can leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

You can create your own custom detectors for secret scanning by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

Anyone able to define custom patterns is able to use the regular expression generator. This feature is shipping to public beta today for all GitHub Enterprise Cloud customers with GitHub Advanced Security.

Learn more about the regular expression generator or how to define your own custom patterns.

See more See more

Secret scanning and push protection are enabled by default on new public repositories

March 11, 2024

All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.

Existing public repositories are not affected, nor are new public repositories that belong to an organization.

See more See more

View all changes