CodeQL 2.18.1: Kotlin & Swift mobile support is generally available, TypeScript 5.5 support, C# build-mode: none public beta

July 26, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.18.1 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes by version include:

For CodeQL 2.17.6:
- C# can now use build-mode: none, which allows scanning C# code without requiring working builds.
For CodeQL 2.18.0:
- Support for TypeScript 5.5.
For CodeQL 2.18.1:
- Kotlin & Swift support for mobile applications is now generally available.
- Java build-mode: none analyses now only report a warning on the tool status page when significant analysis problems are detected.
- Two new JavaScript queries js/functionality-from-untrusted-domain has been added to detect usage of scripts from untrusted domains, including polyfill.io content delivery network and js/insecure-helmet-configuration to detect instances where important Helmet security features are disabled.
- The precision of cpp/iterator-to-expired-container & cpp/unsafe-strncat have been increased to high. They have been moved to the default query suite.

For a full list of changes, please refer to the complete changelog for versions 2.17.6, 2.18.0, and 2.18.1. All new functionality will be included in GHES 3.15. Users of GHES 3.14 or older can upgrade their CodeQL version.

Copilot Enterprise Mixed Licensing beta

July 26, 2024

Today, we’re introducing the beta for Copilot Enterprise Mixed Licensing within an enterprise. This grants GitHub Enterprise Cloud customers greater flexibility in selecting the best Copilot plans for their needs. Now, you can set a Copilot plan at the organization level instead of at the enterprise level.

Try it out now

To update an organization’s Copilot plan, an Enterprise Admin should navigate to Copilot Settings for the enterprise and select the desired plan via the dropdown menu for each organization.

Enterprise Mixed Licensing Dropdown Menu

Learn more about Copilot Enterprise Mixed Licensing in our documentation here and let us know what you think via Discussions.

See more See more

Validation on package name when submitting a new GitHub security advisory (GHSA)

July 26, 2024

To make it easier to submit security advisories, GitHub now validates package names.

When submitting a new GHSA (GitHub Security Advisory) in a repository, the user is prompted to enter the ecosystem (e.g. npm, maven) and package name (e.g. webpack, lodash). Now, when they enter the name, there will be a validation message at the bottom of the form to confirm whether or not the package name they entered has been found in the ecosystem they specified.

To learn more about submitting advisories to our Advisory Database, check out our documentation here.

See more See more

View all changes