You can now add organisation-level CodeQL model packs to improve code scanning coverage for your GitHub organization. This ensures that custom libraries and frameworks are recognised by CodeQL.
In most cases, the out-of-the-box CodeQL threat models provide the best coverage for identifying potential vulnerabilities in your GitHub repositories using code scanning. The CodeQL team at GitHub keeps a close eye on the most widely-used open-source libraries and frameworks to ensure CodeQL recognizes untrusted data that enters an application. For cases which cannot be covered by default, such as custom-built or inner-sourced frameworks and libraries, you can create custom CodeQL model packs to help CodeQL detect additional security vulnerabilities in your code.
When you configure CodeQL model packs at scale, the packs will be used in every code scanning analysis that uses default setup in the organization. By default, code scanning will download the latest version of each model pack, meaning that the latest changes to the pack (such as adding information about new frameworks) will automatically be included. Alternatively, you can configure specific sets of CodeQL models to use by stating a specific version (or version range). For more information, see Editing your configuration of default setup in the GitHub documentation.
You can use the CodeQL model editor in VS Code to easily create custom CodeQL model packs for libraries and frameworks written in C# and Java/Kotlin. Custom CodeQL model packs are also supported for code written in JavaScript and Ruby and we will be adding support for these and other CodeQL-supported languages in the CodeQL model editor in the future.
This functionality is now available on GitHub.com and will be available in GitHub Enterprise Server 3.14.