CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.24.1, improving support for Maven private package registries, support for the latest version of Kotlin, and various other improvements that enhance the accuracy of your code scanning results.

Language and framework support

Java/Kotlin

  • Kotlin versions up to 2.3.0 are now supported for analysis.
  • We’ve added support for Struts 7.x package names in the Struts framework library.
  • When you configure Maven-compatible private package registries for an organization for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories, allowing you to obtain Maven plugins from private registries.
  • Note: As previously announced, support for Kotlin 1.6.x and 1.7.x series has been dropped.

C/C++

  • We’ve added support for C23 and C++26 #embed preprocessor directives.

C#

  • C# 14: We’ve added support for null-conditional assignments.

Python

  • It’s now possible to refer to list elements in the Python models-as-data language, via the ListElement path.
  • We’ve added taint flow and type models for the agents and openai modules, and have modeled remote flow sources for the websockets package.

Query changes

C/C++

  • We’ve fixed a bug in the GuardCondition library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using GuardCondition may see improved results.
  • We’ve improved accuracy of measuring buffer sizes, reducing the number of false positives in the cpp/static-buffer-overflow, cpp/overflow-buffer, cpp/badly-bounded-write, cpp/overrunning-write, cpp/overrunning-write-with-float, and cpp/very-likely-overrunning-write queries.

Java

  • We’ve improved the accuracy of the java/unreleased-lock query.

Python

  • We’ve added an experimental query py/prompt-injection to detect potential prompt injection vulnerabilities in code using LLMs.

GitHub Actions

  • We’ve fixed a crash when analyzing a ${{ ... }} expression over around 300 characters in length.

For a full list of changes, please refer to the complete changelog for version 2.24.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.1 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.