CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.25.0, which upgrades Swift analysis to 6.2.4, rewrites the Java control flow graph for improved accuracy, and includes various other improvements across languages. CodeQL 2.25.1 is also available, but only includes minor bug fixes.

Language and framework support

Swift

  • CodeQL now supports analysis of apps built with Swift 6.2.4.

Java/Kotlin

  • We’ve completely rewritten the Java control flow graph (CFG) implementation. The new CFG includes additional nodes to more accurately represent certain constructs and only includes nodes reachable from the entry point, improving overall analysis precision.

C#

  • We’ve added support for C# 14 partial constructors.
  • We’ve added System.Net.WebSockets::ReceiveAsync as a remote flow source, improving detection of taint originating from WebSocket connections.

JavaScript/TypeScript

  • We’ve added support for browser-specific source kinds (e.g., browser-url-query, browser-url-fragment, and browser-message-event) that can be used in data extensions to model sources in browser environments.

For a full list of changes, please refer to the complete changelog for version 2.25.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.25.0 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.