CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.22.2 and 2.22.3, which expand Rust support, improve framework modeling and query accuracy, and support the latest version of Kotlin.

Language & framework support

  • Kotlin: Kotlin 2.2.2x is now supported for analysis.
  • React: Taint is now traced through the React use function, and parameters of React server functions are now seen as taint sources.
  • Rust: Rust language support remains in public preview, and we’ve expanded it to support additional security issues and language features.

Query changes

  • JavaScript: Three queries for JavaScript have been removed, which have now been superseded by newer queries in the actions QL pack:
    • js/actions/pull-request-target has been superseded by actions/untrusted-checkout
    • js/actions/actions-artifact-leak has been superseded by actions/secrets-in-artifacts
    • js/actions/command-injection has been superseded by actions/command-injection

For a full list of changes, see the CodeQL 2.22.2 and CodeQL 2.22.3 change logs.

Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. These new CodeQL features will be included in GitHub Enterprise Server (GHES) 3.19. If you use an older version of GHES, you can manually upgrade your CodeQL version.