Skip to content

codeql

Subscribe to all “codeql” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Use GitHub code search to support security research with multi-repository variant analysis for CodeQL (beta)

June 23, 2023

The latest release of CodeQL for VS Code includes new functionality for creating lists of target repositories for multi-repository variant analysis with GitHub code search.

Multi-repository variant analysis (MRVA) allows security researchers to run CodeQL analyses against large numbers of repos straight from the CodeQL extension for VS Code, making it possible to identify new types of security vulnerabilities in the most popular open-source codebases. Curated lists of up to 1,000 widely-used public GitHub repositories are included with MRVA to help you get started quickly – you can even trigger an MRVA run against up to 1,000 repositories in a single GitHub organization.

However, if you’d prefer to target different repositories, you can also create your own custom lists. To help make it easier to identify the most relevant repositories to include in your custom lists we have just released a new integration with the GitHub search API in the CodeQL extension. With this new feature, you can restrict the repositories appearing in your custom lists by the contents of source files, file paths, file location, or any other supported search qualifier.

For more information about how to use GitHub code search with MRVA, see Using GitHub code search to add repositories to a custom list in the CodeQL for VS Code documentation.

See more See more

Choose which languages to enable in code scanning default setup for your repository

June 15, 2023

Code scanning now has the option to enable default setup for a subset of languages in a repository. This lets you customize the configuration to suit your repository's needs, for example deselecting a language which is failing the analysis.

Default set up makes it easy to get started with code scanning. The supported languages are currently JavaScript/TypeScript, Python, Ruby and Go and the list is constantly evolving.

When you choose default setup, we automatically tailor a code scanning configuration for the repository. By default we will enable the best CodeQL configuration for all languages in your repository. However, if there is a language that you'd prefer to disable in code scanning, you can now customize the languages in your default setup configuration.

Use the 'edit configuration' page or REST API to edit the default setup configuration for a repository. You can customize the languages and query suites used in the analysis. The configuration can be viewed and edited at any time, during or after set up.

{
  "state": "configured",
  "languages": ["javascript-typescript", "ruby"],
  "query_suite": "default", 
  "updated_at": "2023-02-24T20:00:42Z"
}

For more information on code scanning default setup, see Configuring code scanning automatically.

See more See more

CodeQL code scanning now supports Swift (beta)

June 1, 2023

Today, we're extending CodeQL code scanning support to Swift! Developers working on Swift libraries and apps on Apple platforms can now benefit from our best-in-class code security analysis. We currently identify issues such as path injection, unsafe web view fetches, numerous cryptographic misuses and other types of unsafe evaluation or processing of unsanitized user-controlled data. During this beta, we’ll gradually increase our coverage of distinct weaknesses.

Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which in sum run nearly 400 checks on your code, all while keeping false positive rates low and precision high.

Set up code scanning on your Swift repositories today and receive actionable security alerts right on your pull requests. Read more about our supported Swift versions and platforms here.

Swift support is available starting with CodeQL version 2.13.3. GitHub.com users are automatically updated, while GitHub Enterprise Server users can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.

This is just the start for Swift support in GitHub Advanced Security, keep an eye on the main GitHub blog for further announcements. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack. Thanks to all Swift community members who have participated in the private beta.

See more See more

Code scanning default setup is available for Go

April 12, 2023

Code scanning default setup is now available for Go!

Default setup automatically finds and sets up the best CodeQL configuration for your repository. It detects the languages in the repository and enables CodeQL analysis for every pull request and every push to the default branch and any protected branches. A repository is eligible for default setup if it uses GitHub Actions and contains JavaScript/TypeScript, Python, Ruby or Go.

You can use default setup on your repository's "Settings" tab under "Code security and analysis".

Code scanning default setup Go

This new feature is available on GitHub.com today, and will also ship with GHES 3.10. More language support will be provided soon, and all other CodeQL-supported languages continue to work using a GitHub Actions workflow file. The options to set up code scanning using API uploads or third party analysis tools remain supported and are unchanged.

For more information on code scanning default setup, see Configuring code scanning automatically.

See more See more

Code scanning adds support for C# 11 / .NET 7

April 4, 2023

GitHub Code Scanning now supports scanning projects built with C#11 / .NET 7 and leveraging the latest language features.

These features include:

Generic attributes
Generic math support
Numeric IntPtr and UIntPtr
Newlines in string interpolations
List patterns
Improved method group conversion to delegate
Raw string liters
Auto-default struct
Pattern match Span or ReadOnlySpan on a constant string
Extended nameof scope
UTF-8 string literals
Required members
ref fields and ref scoped variables
File scoped types

C# 11 / .NET 7 support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code.

See more See more

Code scanning shows the health of tools enabled on a repository

March 28, 2023

The new code scanning tool status page allows users to view the status of CodeQL and other code scanning tools.
The page shows all the tools that are enabled on the repository and provides information about their setup types, configurations, and any relevant failures or warnings. If a tool is not working as expected, this is a good place to start troubleshooting the issue.

You can visit the new tool status page by using the button at the top of the repository's Code Scanning page.

code-scanning-tool-status-page-access

Statuses for the tool

The page indicates three possible statuses for the tool: all configurations are working, some need attention, and some are not working.

Code scanning needs to have received at least one analysis for the default branch to provide a tool status. Only the status of the default branch is reported.

The page shows the latest state of all analysis configurations for the tool. For instance, if you created two separate workflows to scan two distinct parts of the repository independently, the page displays the most recent state of the tool by combining the statuses of both.

The page structure

For each tool, the page provides actionable information about misconfigurations and errors, the number of scanned files per language, the setup types and configurations, the list of rules the tool checks against, and detailed CSV reports.

code-scanning-tool-status-page-detailed

Error messages

To help you with debugging, the tool status page shows error messages gathered from multiple code scanning system components during tool setup and analysis execution. These include errors from CodeQL, code scanning workflows, SARIF upload limits, and the internal code scanning system.

Third party code scanning tools are not yet able to deliver tool related errors to the page. In the future, these tools will be able to submit error messages to code scanning via SARIF uploads.

Scanned files

A Scanned Files section shows the number of analysed files per language compared to the number of files in the repository.

The section helps you determine whether code scanning tools are operating correctly on your repository and only shows information about languages supported and analysed by the tool while ignoring languages that are present in the repository but are not supported or being analysed by the tool.

This section is not yet displayed for third party code scanning tools. In the future, third party tools will be able to submit error messages to code scanning via SARIF uploads.

Delivery dates

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.

Learn more about code scanning and the tool status page.

Learn more about GitHub Advanced Security.

See more See more

Code scanning API to enable default setup with CodeQL on a repository

March 21, 2023

Code scanning have shipped an API for repositories to programmatically enable code scanning default setup with CodeQL.

The API can be used to:

Onboard a repository to default setup: gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f state=configured
Specify which CodeQL query suite to use in the default setup configuration: gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f query_suite=extended
View the current default setup configuration for a repository: gh api /repos/[org]/[repo-name]/code-scanning/default-setup
Offboard a repository from default setup: gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f state=not-configured

When you onboard a repository via the API, you will recieve a workflow run ID which can be used to monitor the setup progress. This can be used to see the status and conclusion of the run: gh api repos/[org-name]/[repo-name]/actions/runs/[run-id] --jq '.status, .conclusion'

{
  "state": "configured",
  "languages": ["javascript", "ruby"],
  "query_suite": "default", 
  "updated_at": "2023-02-24T20:00:42Z"
}

For more information, see "Get the code scanning default setup configuration" and "Update the code scanning default setup configuration".

See more See more

You can now use the “security extended” query suite in code scanning default setup with CodeQL

March 21, 2023

You can now enable the "security extended" query suite for repositories using code scanning default setup with CodeQL. This query suite can be selected during set up, or changed at any time by viewing and editing the CodeQL configuration.

Code scanning's default query suites have been carefully designed to ensure that they look for the security issues most relevant to developers, whilst also minimizing the occurrence of false positive results. However, if you and you developers are interested in seeing a wider range of alerts you can enable the security extended query suite. This suite includes the same queries as in the default query suite, plus:

extra queries with slightly lower severity and precision.
extra experimental queries.

If you enable the security extended suite you may see more CodeQL alerts in your repository and on pull requests. For more information, see "About code scanning alerts".

Code scanning default setup query suites

Code scanning default setup view configuration

Read more about code scanning default setup.

See more See more

Code scanning shows more accurate and relevant alerts on pull requests

March 17, 2023

Code scanning is now using a new way of analysing and displaying alerts on pull requests. The change ensures code scanning only shows accurate and relevant alerts for the pull request.

Previously, code scanning presented all alerts unique to the pull request branch, even if they were unrelated to the code changes the pull request introduced. Now, the tool reports only alerts inside the lines of code that the pull request has changed, which makes it easier to fix these contextualised alerts in a timely manner.

code scanning on the slide-out enablement panel on the security coverage page

The complete list of code scanning alerts on the pull request branch can be seen on the Security tab of the repository.

code scanning on the slide-out enablement panel on the security coverage page

In addition, code scanning will no longer show fixed alerts on pull requests. Instead, you can check whether an alert has been fixed by your pull request on the Security tab of the repository by using search filters: pr:111 tool:CodeQL. If you fix an alert in the initial commit in the pull request, it will not be present on the PR branch.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.10.

Learn more about viewing an alert on your pull request.

Learn more about GitHub Advanced Security.

See more See more

Use multi-repository variant analysis (beta) to run CodeQL queries at scale

March 9, 2023

Today we have released multi-repository variant analysis for CodeQL in public beta to help the OSS security community power up their research with CodeQL.

CodeQL is the static code analysis engine that powers GitHub code scanning. Out of the box, CodeQL is able to find many different types of security vulnerability and flag them up in pull requests.

But one of CodeQL’s superpowers is its versatility and customizability: you can use it to find virtually any pattern in source code. As such, it’s a great tool for finding new types of vulnerabilities – once you’ve identified an interesting pattern, model it as a CodeQL query, and then run it against your repository to find all occurrences of that pattern! But most vulnerabilities are relevant to many codebases. Wouldn’t it be amazing if you could easily run your query against many repos at the same time? Well, now you can with multi-repository variant analysis — which we’ve just shipped in public beta!

Screenshot 2023-02-22 at 16 39 39

This new feature will allow security researchers to run CodeQL analyses against large numbers of repos, straight from the CodeQL extension for VS Code, making it possible to identify new types of security vulnerabilities in the most popular open-source codebases.

Checkout the CodeQL for VS Code documentation to get learn how to get started with multi-repository variant analysis. We'd also love to hear your feedback on this GitHub community discussion.

See more See more

Code scanning adds support for Kotlin 1.8.0 analysis (beta)

February 15, 2023

Back in November 2022 we announced the public beta for Kotlin analysis. We continue to invest in Kotlin and we now support Kotlin 1.8.0 analysis in beta.

If you have any feedback or questions, please use this discussion thread or open an issue in the open source CodeQL repository if you encounter any problems.

Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.9 will include this beta release.

See more See more

CodeQL code scanning is now 16% faster

February 7, 2023

CodeQL is the engine that powers GitHub code scanning, used by more than 100,000 repositories to catch security vulnerabilities before they cause issues in deployments.

CodeQL is fully integrated into the Pull Request workflow, so it has to be as fast as possible to keep developers unblocked.

We're constantly working on performance improvements, from incremental optimizations to fundamental research, all with the goal of speeding up the nearly 150,000 checks we run every single day, without compromising our best-in-class precision and low false-positive rate.

With the recent release of CodeQL version 2.12, we looked back at the performance gains compared to version 2.11 (September 2022) to see how far we've come. We compared the analysis time for the same 55,000 repositories on GitHub.com and found an average improvement of 15.7% across all supported languages:

codeql performance 2 11 2 12 improvement

Users on GitHub.com automatically run the latest CodeQL version. Customers on GitHub Enterprise Server can update by following the sync processes explained here.

See more See more

Migration of CodeQL CLI Docs to GitHub Docs site

February 7, 2023

Following feedback from code scanning users, we've moved documentation about the CodeQL CLI from codeql.github.com to docs.github.com, the main GitHub Docs site.

You can now find the articles under the “Using the CodeQL CLI” and “CodeQL CLI reference” categories, which correspond to the categories on the original site. We’ve updated each of the original articles on codeql.github.com with links to the new location of the article and to each subsection, so that if you go to the old location you can easily find the information you need.

The source files now exist in Markdown format in the public, open-source docs repository. If you would like to contribute, you can consult and follow the steps listed in the GitHub Docs contributing guide.

See more See more

Code scanning can be set up not to fail a pull request check

February 7, 2023

Code scanning can now be set up to never cause a pull request check failure.

By default, any code scanning alerts with a security-severity of critical or high will cause a pull request check failure.
You can specify which security-severity level for code scanning results should cause the code scanning check to fail, including None, by going to the Code security and Analysis tab in the repository settings.

Screenshot code-scanning-settings

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about severity levels for security alerts and Code scanning results check failures on pull requests.

See more See more

Code scanning: CodeQL Action v1 is now deprecated

January 18, 2023

On March 30, 2022, we released CodeQL Action v2, which runs on the Node.js 16 runtime. In April 2022, we announced that CodeQL Action v1 would be deprecated at the same time as GitHub Enterprise Server (GHES) 3.3.
This deprecation period has elapsed and starting January 18, 2023, CodeQL Action v1 is now discontinued.
It will no longer be updated or supported, and while we will not be deleting it except in the case of a security vulnerability, workflows using it may eventually break.
New CodeQL analysis capabilities will only be available to users of v2.

For more information about this deprecation, please see the original deprecation announcement from April 2022.

How does this affect me?

If you use code scanning with CodeQL on any of the following platforms, you should update your workflow file(s) to use CodeQL Action v2 as soon as possible:

GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
GHES 3.4.13 and later

Users of GHES 3.4.12 or earlier: please read this section in the original deprecation announcement.

What do I need to change in my workflow?

To upgrade to the CodeQL Action v2, open your CodeQL workflow file(s) in the .github/workflows directory of your repository and look for references to:

github/codeql-action/init@v1
github/codeql-action/autobuild@v1
github/codeql-action/analyze@v1
github/codeql-action/upload-sarif@v1

These entries need to be replaced with their v2 equivalents:

github/codeql-action/init@v2
github/codeql-action/autobuild@v2
github/codeql-action/analyze@v2
github/codeql-action/upload-sarif@v2

If you use a pinned version of the CodeQL Action in your workflows, for example github/codeql-action/init@32be38e, check the latest Actions workflow run summary on your repository.
If you see a warning stating that you are running CodeQL Action v1, then please update your workflow to reference v2 or alternatively the latest github/codeql-action commit tagged v2.

Can I use Dependabot to help me with this upgrade?

All users on GitHub.com, and GHES customers using GitHub Advanced Security with a local copy of github/codeql-action, can use Dependabot to automatically upgrade their Actions dependencies.
For more details on how to set this up, please see this page.

GHES customers should also make sure:

Dependabot version updates are enabled for your enterprise
At least one self-hosted runner is set up to run Dependabot updates

See more See more

Updated timeline for the deprecation of CodeQL Action v1

December 7, 2022

The deprecation date for the CodeQL Action v1 is shifting. Initially, this was December 2022, and now it is January 2023. This change follows the updated timeline on the deprecation of GitHub Enterprise Server (GHES) 3.3.

In January 2023, the CodeQL Action v1 will be officially deprecated (alongside GHES 3.3). GitHub Action workflows that refer to v1 of the CodeQL Action will continue to work, but no new analysis capabilities will be released to v1. New CodeQL analysis capabilities will only be available to users of v2. For more information about this deprecation and detailed upgrade instructions, please see the original deprecation announcement from April 2022.

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
GitHub Enterprise Server (GHES) 3.5 and later. Users of GHES 3.4: please read this section in the original deprecation announcement.

Environments in which CodeQL runs in CI/CD systems other than GitHub Actions are not affected by this deprecation.

See more See more

CodeQL code scanning launches Kotlin analysis support (beta)

November 28, 2022

Starting today, GitHub code scanning includes beta support for analyzing code written in Kotlin, powered by the CodeQL engine.

Kotlin is a key programming language used in the creation of Android mobile applications, and is an increasingly popular choice for new projects, augmenting or even replacing Java. To help organisations and open source developers find potential vulnerabilities in their code, we’ve added Kotlin support (beta) to the CodeQL engine that powers GitHub code scanning. CodeQL now natively supports Kotlin, as well as mixed Java and Kotlin projects. Set up code scanning on your repositories today to receive actionable security alerts right on your pull-requests. To enable Kotlin analysis on a repository, configure the code scanning workflow languages to include java. If you have any feedback or questions, please use this discussion thread or open an issue if you encounter any problems.

Kotlin support is an extension of our existing Java support, and benefits from all of our existing CodeQL queries for Java, for both mobile and server-side applications. We’ve also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection and more.

CodeQL support for Kotlin has already been used to identify novel real-world vulnerabilities in popular apps, from task management to productivity platforms. You can watch the GitHub Universe talk on how CodeQL was used to identify vulnerabilities like these here.

Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.8 will include this beta release.

See more See more

CodeQL code scanning launches Ruby analysis support in GA

November 9, 2022

Last year, we launched Ruby analysis support in beta for GitHub code scanning. Today, we're announcing the general availability of this feature — covering even more vulnerabilities in Ruby code.

Ruby is part of the top 10 most popular languages on GitHub today. In the past year alone, code scanning (powered by the CodeQL engine) helped Ruby developers resolve more than 4,000 security issues. Set up code scanning on your repositories today and receive actionable security alerts right on your pull-requests.

Since shipping in beta, our Ruby analysis has more than doubled the number of common weaknesses (CWEs) that it can detect. A total of 30 rules check your code for a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. We currently support all common Ruby versions, up to and including 3.1. Check out the documentation for more details on compatibility.

Ruby support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.4 shipped with Ruby (beta) support, and GHES 3.8 will include this GA release.

See more See more

Code scanning now supports using CodeQL packs on GitHub.com and GHES

November 1, 2022

CodeQL comes with a built-in package manager that helps you share and manage custom queries. Last year, we announced the public beta of CodeQL packaging — including direct integration into GitHub code scanning. This makes it easier to roll out custom queries to your repositories and gives you full control over exactly which queries are run.

This functionality will soon be released for users of GitHub Enterprise Server (GHES): it will be available with GHES 3.7. This release also includes support for using packs that are published to GitHub Container Registries (GHCR) hosted on GHES.

How do I use CodeQL query packs in code scanning?

To use CodeQL query packs in code scanning, specify a with: packs: entry in the uses: github/codeql-action/init@v2 section of your code scanning workflow. By default code scanning downloads packs the from GHCR on GitHub.com, so if you want to run one of the standard CodeQL query packs or any other public CodeQL query pack, then simply include the pack scope/name and version requirements here. You can find the full documentation here.

If you want to run packs from the GHCR on GHES, then you need to tell code scanning how to access and authenticate to the appropriate registry. For an example of how to do this in your code scanning workflow, see Downloading CodeQL packs from GitHub Enterprise Server in the GitHub documentation.

How do I publish my own CodeQL packs?

You can publish you own CodeQL packs using the CodeQL CLI. By default, the CodeQL CLI publishes packs to the GHCR on GitHub.com. If you want to publish packs to the GHCR associated with your instance of GHES, you need to tell the CodeQL CLI how to access and authenticate to the registry you want to work with. For a full example of how to specify these details, see Working with CodeQL packs on GitHub Enterprise Server in the CodeQL CLI documentation.

Where can I find more information about CodeQL packaging and code scanning?

This changelog post only provides a brief summary of how you can use CodeQL packs in code scanning. For more information, see:

Creating and working with CodeQL packs in the CodeQL documentation.
Publishing and using CodeQL packs in the CodeQL documentation.
Downloading CodeQL packs from GitHub Enterprise Server in the GitHub documentation.
Sharing security expertise through CodeQL packs in the GitHub blog.

See more See more

CodeQL code scanning now supports customizing build configurations for Go analysis

October 25, 2022

CodeQL now officially supports customizing the build configuration for Go analysis in the Actions workflow file. This aligns the Go configuration experience with the C/C++, C#, and Java analysis. The new customization options allow for more flexibility, for example when the build fails, or if analysis is desired on different source files.

All your existing CodeQL workflows for Go analysis will continue to work and continue to be supported. You don’t need to take any action to keep Go analysis running.

Example Actions workflow steps using Go build customization

steps:
  - name: Checkout repository
    uses: actions/checkout@v3

  - name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
      languages: go

  - name: Build code
    run:
      # You can modify these commands or add new commands to customize the build process
      make bootstrap
      make release

  - name: Perform CodeQL Analysis
    uses: github/codeql-action/analyze@v2

Learn more about CodeQL and code scanning.

See more See more

View more changes