CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.23.3, which makes Rust analysis and C/C++ build mode none generally available and introduces a new Rust security query alongside other improvements that refine the accuracy of code scanning results.

Language and framework support

  • Rust: Rust analysis is now generally available.
  • C/C++: build-mode: none is now generally available, letting you scan C/C++ projects even when a full build isn’t practical.

Query changes

  • Rust: Added rust/insecure-cookie, which flags cookies created without the Secure attribute, helping prevent transmission over non-TLS channels.
  • Go:
    • go/request-forgery no longer alerts when user input is a simple type (e.g., a number or boolean), reducing false positives.
    • go/unvalidated-url-redirection now treats a url.URL struct as tainted when its Host field is initialized from untrusted data during struct construction (e.g., &url.URL{Host: untrusted}), improving coverage.
    • go/unvalidated-url-redirection and go/request-forgery shared safe URL modeling was corrected, which may surface additional valid alerts in both queries.
  • Java/Kotlin: Fields of objects stored in source arrays (e.g., MyPojo[]) are now considered tainted when the array itself is a source, increasing data-flow coverage for object field sinks.

For a full list of changes, please refer to the complete changelog for version 2.23.3. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.23.3 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.