CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.22.4, which adds support for Go 1.25, a new security query for Rust, improved analysis accuracy, and enhanced framework support.

Language & framework support

  • Go: CodeQL now supports Go version 1.25.

  • Rust: Enhanced models for postgres, rusqlite, sqlx, and tokio-postgres libraries, which may improve query results, particularly for SQL injection and cleartext storage detection.

  • Java/Kotlin: Added library models for jakarta.servlet.ServletRequest and jakarta.servlet.http.HttpServletRequest method calls as remote flow sources.

Query changes

  • Rust: Added rust/cleartext-storage-database for detecting cases where sensitive information is stored non-encrypted in a database.

  • C/C++: Fixed false positives in cpp/overflow-buffer when the destination buffer type is a reference to a class/struct type.

  • JavaScript/TypeScript: The js/regex-injection query no longer considers environment variables as sources by default.

For a full list of changes, please refer to the complete changelog for version 2.22.4. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.22.4 will also be included in GitHub Enterprise Server (GHES) version 3.19. If you use an older version of GHES, you can manually upgrade your CodeQL version.