CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. You can now define custom sanitizers and validators using data extensions (models-as-data) across C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, and Rust.

What’s new

In CodeQL, sanitizers and validators are represented as barriers and barrier guards respectively.

Barriers and barrier guards let you customize how CodeQL tracks tainted data through your code. A barrier marks a function or method whose output is considered sanitized for a specific vulnerability type (e.g., an HTML-escaping function that prevents cross-site scripting). A barrier guard marks a function that returns a boolean indicating whether data is safe, stopping taint flow through guarded branches.

Previously, defining barriers required writing custom CodeQL code. Now, you can add them declaratively in YAML data extension files using two new extensible predicates:

  • barrierModel: Stops taint flow at the modeled element for a specified query kind.
  • barrierGuardModel: Stops taint flow when a conditional check returns an expected value.

You can add barriers modeled with these new predicates to CodeQL model packs. This makes it easier to extend CodeQL’s analysis to recognize your project’s own sanitization and validation functions without writing custom CodeQL.

Learn more

For details and examples on how to define barriers and barrier guards for your language, see the customization guides:

For more information about using CodeQL model packs in GitHub code scanning, see Extending CodeQL coverage with CodeQL model packs.

This feature is available starting with CodeQL 2.25.2.