CodeQL performance and coverage improvements in recent releases

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. The CodeQL engine has become faster, covers 28 more security queries, supports more ecosystems, and can now scan GitHub Actions (public preview)—among various other bug fixes and small improvements.

All of these improvements were automatically rolled out to code scanning users in the past few months. For users of the CodeQL CLI, here are some highlights of the past few CodeQL releases:

• CodeQL 2.20.4 – 6 February 2025
  • Analysis support for GitHub Actions workflow files is now in public preview, and therefore the use of the actions language (for analysis of GitHub Actions workflows) no longer requires the CODEQL_ENABLE_EXPERIMENTAL_FEATURES environment variable to be set.
  • All experimental queries for C#, Java, and Kotlin have been migrated to the default query suite in the CodeQL community packs that are managed by GitHub Security Lab.
• CodeQL 2.20.3 – 24 January 2025
  • Resolves a security vulnerability where CodeQL databases or logs produced by the CodeQL CLI may contain the environment variables from the time of database creation. This includes any secrets stored in an environment variables. For more information, see the CodeQL CLI security advisory.
• CodeQL 2.20.2 – 22 January 2025
  • All data flow queries have been standardized on a single data flow library, which may result in differences for JavaScript and TypeScript analysis.
  • CodeQL databases now take 2-3x less space on disk, which makes them faster to transfer and read/manipulate. This is thanks to a new compressed database format.
• CodeQL 2.20.1 – 9 January 2025
  • CodeQL is now easier to set up and roll out: automatic build command detection with automatic dependency installation for C/C++ is now supported on Ubuntu 24.04.
  • A new Server Side Template Injection query for Python has been released, thanks to a community contribution.
  • Swift 6.0.2 is now supported.
• CodeQL 2.19.4 – 2 December 2024
  • Analysis coverage improvement: the bottle web framework for Python is now supported.
• CodeQL 2.19.3 – 7 November 2024
  • Analysis for .NET 8 and JDK 17 has been improved.
  • The CodeQL Bundle is now available as an artifact that is compressed using Zstandard. This artifact is smaller and faster to decompress than the original, gzip-compressed bundle. The CodeQL bundle is a tar archive containing tools, scripts, and various CodeQL-specific files.
• CodeQL 2.19.2 – 21 October 2024
  • Analysis of Python apps now has significantly faster extraction and analysis times.
• CodeQL 2.19.1 – 4 October 2024
  • Java 23 is now supported.
  • A new command, codeql resolve packs, shows each step in the pack search process, including what packs were found in each step.

Detailed changelogs for every CodeQL release are available in the CodeQL documentation, and new CodeQL releases occur roughly every two weeks.

For GitHub Enterprise Server customers: All new functionality from CodeQL releases 2.19.0 through 2.20.3 will be included in GHES 3.16 and the latest patch versions of 3.12-3.15. Functionality from 2.20.3 and later 2.20.X versions will be included in 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.