Removing hardcoded secrets detection from CodeQL

Starting May 30, 2025, CodeQL will no longer generate code scanning alerts for hardcoded secrets. Instead, we recommend using secret scanning to detect hardcoded secrets in your repositories, which has greater precision and recall than CodeQL. Secret scanning is a feature of GitHub Secret Protection.

Learn more about secret scanning, which scans your repositories for over 300 hardcoded secrets and uses Copilot to detect generic passwords. By using this detection instead of CodeQL, all your alerts for hardcoded secrets can be managed in one place.

What’s changing?

We’re disabling CodeQL detection of hardcoded secrets on May 30, 2025. This aligns with the release of CodeQL 2.21.4. We’ll post a follow-up notice to the GitHub changelog when this is complete. Once these checks are disabled, the next time your repository is analyzed using CodeQL, any code scanning alerts for hardcoded secrets will close. These alerts will stay in your historical security alert backlog.

These changes will also be included with GHES 3.18.

The following CodeQL queries will be disabled:

  • js/hardcoded-credentials
  • swift/hardcoded-key
  • swift/constant-password
  • cs/password-in-configuration
  • cs/hardcoded-credentials
  • js/password-in-configuration-file
  • py/hardcoded-credentials
  • go/hardcoded-credentials
  • rb/hardcoded-credentials
  • cs/hardcoded-connection-string-credentials
  • java/password-in-configuration

Why are we doing this?

The hardcoded secrets queries in CodeQL are redundant to the capabilities of secret scanning, which can result in duplicate alerts for the same secret. This creates unnecessary effort spent on manual deduplication of secret scanning and code scanning alerts. Secret scanning has superior accuracy and recall for detecting hardcoded secrets and provides additional metadata that’s helpful for remediation.

How do I get started?

Check out this introduction to getting started with GitHub Secret Protection:

Watch this video to learn more about deploying and managing Secret Protection at scale:

GitHub Actions: macOS 15 and Windows 2025 images are now generally available

macOS 15 and Windows 2025 images are now generally available for all GitHub-hosted runners. You can use these images in your workflows on GitHub-hosted standard or larger runners.

Get started today

To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

To use Windows 2025, you can target the image directly on standard runners using runs-on: windows-2025. For larger runners, create a runner and select Windows Server 2025 in the Images UI console.

The latest tag will migrate to these images later in the year.

Need support?

Keep in mind that the new runner images have different tools and tool versions than previous versions. To view the full list of software or report issues with your workflows when using the images, visit the runner-images repository.

See more

Copilot Chat now supports pasting GitHub URLs as explicit references

An illustration of a GitHub issue link with a purple and blue background. A URL is displayed in a browser bar at the top, with a dark notification box shows below it, all next to the Copilot logo.

Issues, discussions, and pull requests – these are all important pieces of context when building in GitHub. Now, you can reference these within Copilot Chat. Simply paste a link into the chat and Copilot will do the rest!

How it helps you

  • 📂 Multi-repository support: want to compare a pull request from one project with a discussion from another? No problem!
  • 🏷️ Intuitive navigation: maybe you pasted a link, got up to make a coffee, and forgot what you were doing. With chips in the chat context, you don’t need to worry – it will always be clear what you’ve added.
  • ⌨️ Context-building at your fingertips: let Copilot support you and integrate your work by focusing on the specific problems you want to address.

We like to think that GitHub files and Copilot are both great, and they’re even better when they come together. The power of Copilot and the fountain of knowledge in your repositories will collectively help you do amazing things. We know it.

💬 Let us know what you think using the in-product feedback option or pop it into the GitHub Community at any time.

See more
View all changes