CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.21.4, which brings support for a new version of Swift and various improvements that enhance the accuracy of your code scanning results.

Language & framework support

  • Swift: CodeQL now supports Swift 6.1.1, ensuring you can analyze projects built with this version.
  • C/C++: Added support for more Windows APIs including file read functions, command-line and environment variable APIs, and flow models for SQLite and OpenSSL libraries.
  • Python: The extractor now analyzes files in hidden directories by default.

Query changes

  • C#: We improved the cs/missed-readonly-modifier query so it now has fewer false positives.
  • C#: We’ve improved the cs/gethashcode-is-not-defined and cs/uncontrolled-format-string queries so they now detect more potential issues.

  • GitHub Actions: The actions/missing-workflow-permissions query now provides better alert messages and fix suggestions.

  • We’ve removed hardcoded credential queries from all query suites across multiple languages (C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, and Swift) to reduce noise and duplication of alerts from GitHub Secret Protection.

For a full list of changes, please refer to the complete changelog for version 2.21.4. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.4 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.