Starting May 30, 2025, CodeQL will no longer generate code scanning alerts for hardcoded secrets. Instead, we recommend using secret scanning to detect hardcoded secrets in your repositories, which has greater precision and recall than CodeQL. Secret scanning is a feature of GitHub Secret Protection.
Learn more about secret scanning, which scans your repositories for over 300 hardcoded secrets and uses Copilot to detect generic passwords. By using this detection instead of CodeQL, all your alerts for hardcoded secrets can be managed in one place.
What’s changing?
We’re disabling CodeQL detection of hardcoded secrets on May 30, 2025. This aligns with the release of CodeQL 2.21.4. We’ll post a follow-up notice to the GitHub changelog when this is complete. Once these checks are disabled, the next time your repository is analyzed using CodeQL, any code scanning alerts for hardcoded secrets will close. These alerts will stay in your historical security alert backlog.
These changes will also be included with GHES 3.18.
The following CodeQL queries will be disabled:
js/hardcoded-credentialsswift/hardcoded-keyswift/constant-passwordcs/password-in-configurationcs/hardcoded-credentialsjs/password-in-configuration-filepy/hardcoded-credentialsgo/hardcoded-credentialsrb/hardcoded-credentialscs/hardcoded-connection-string-credentialsjava/password-in-configuration
Why are we doing this?
The hardcoded secrets queries in CodeQL are redundant to the capabilities of secret scanning, which can result in duplicate alerts for the same secret. This creates unnecessary effort spent on manual deduplication of secret scanning and code scanning alerts. Secret scanning has superior accuracy and recall for detecting hardcoded secrets and provides additional metadata that’s helpful for remediation.
How do I get started?
Check out this introduction to getting started with GitHub Secret Protection:
Watch this video to learn more about deploying and managing Secret Protection at scale: