CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve released CodeQL 2.24.2, which adds support for Go 1.26 and Kotlin 2.3.10 and includes improvements that enhance the accuracy of your code scanning results.

Language and framework support

Go

  • Go 1.26 is now supported for analysis.

Kotlin

  • Kotlin versions up to 2.3.10 are now supported for analysis.

Python

  • We’ve added request forgery sink models for the Azure SDK.

Query changes

C#

  • The cs/web/missing-token-validation (“Missing cross-site request forgery token validation”) query now recognizes antiforgery attributes on base controller classes, fixing false positives when [ValidateAntiForgeryToken] or [AutoValidateAntiforgeryToken] is applied to a parent class.

Java/Kotlin

  • We now consider more ways of checking that a string matches a regular expression as sanitizers for various queries, including java/ssrf, java/path-injection, and java/log-injection. In particular, being annotated with @javax.validation.constraints.Pattern is now recognized as a sanitizer for those queries.

Check out the complete changelog for version 2.24.2 for a full list of changes. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.24.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.