Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

codeql

Subscribe to all “codeql” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Java projects no longer require a build when using code scanning via default setup

March 21, 2024

CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze Java projects without needing a build. This enables organizations to more easily roll out CodeQL at scale. This new way of analyzing Java codebases is now enabled by default for GitHub.com users setting up new repositories with default setup for code scanning.

Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.

This feature is currently in public beta and is accessible to all users scanning Java code using default setup for code scanning on GitHub.com:

Anyone setting up their repo using code scanning default setup will automatically benefit from this new analysis approach.
Repositories containing a mix of Kotlin and Java code still require a working build for CodeQL analysis. CodeQL will default to the autobuild build mode to automatically try and detect the right build command.
Repositories with an existing code scanning setup will not experience any changes. If code scanning is working for you today it will continue to work as-is, and there is no need to change your configuration.

GitHub.com users using advanced setup for code scanning and users of the CodeQL CLI will be able to analyze Java projects without needing a working build as part of CodeQL CLI version 2.16.5. While in public beta, this feature will not be available for GitHub Enterprise Server. As we continue to work on scanning Java projects without needing a working build, send us your feedback.

See more See more

Security overview dashboard: Alert age trends, custom repository and severity filters, and date pickers

March 20, 2024

Starting today, you can take advantage of the new “age” grouping for the alert trends graph and explore enhanced filter options on the security overview dashboard, aimed at improving your analytical process and security management.

Security alert age trends

alert trends grouped by age

Explore the dynamics of your security alerts with the new alert age grouping on the alert trends graph. This new functionality offers a refined view into the lifecycle of your security alerts, enabling you to better evaluate the timeliness and effectiveness of your response strategies.

repository custom property filter on the security overview page

Leverage enhanced filters to fine-tune your security insights on the overview dashboard:
* Custom repository property filters: With repository custom properties, you can now tag your repositories with descriptive metadata, aiding in efficient organization and analysis across security overview.
* Severity filters: Severity-based filters allow you to concentrate on the vulnerabilities that matter most, streamlining the process of security risk assessment and prioritization.
* Improved date picker controls: Navigate through time with ease using the new date picker options, allowing for quick selection of rolling periods like “Last 14 days,” “Last 30 days,” or “Last 90 days.” Bookmark your preferred time window to keep your analysis current with each visit.

You can access these new functionalities in security overview by navigating to the “Security” tab at the organization level.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more See more

Code scanning now suggests AI-powered autofixes for CodeQL alerts in pull request (beta)

March 20, 2024

Code scanning autofix is now available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot, code scanning suggests fixes for Javascript, Typescript, Java, and Python alerts found by CodeQL.
This feature empowers developers to reduce the time and effort spent remediating alerts found in pull requests, and helps prevent new vulnerabilities from being introduced into your code base.

Autofix

The feature is automatically enabled on all private repositories for GitHub Advanced Security customers.
When code scanning analysis is performed on pull requests, autofixes will be generated for supported alerts. They include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss. In addition to changes to the current file, these code suggestions can include changes to multiple files. Where needed, autofix may also add or modify dependencies.

You can see the total number of autofix suggestions provided for CodeQL alerts in open and closed pull requests in security overview:

Autofixes on the overview dashboard

You can configure code scanning autofix for a repository or organisation. You can also use Policies for Code security and analysis to allow autofix for CodeQL code scanning for an enterprise.

Enterprise settings

Code scanning autofix supports, on average, 90% of CodeQL Javascript, Typescript, Java, and Python alerts from queries in the Default code scanning suite. The fix generation for any given alert also depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

This change is now available to all GitHub Advanced Security customers on GitHub.com. For more information, see About autofix for CodeQL code scanning.

Provide feedback for code scanning autofix here.

See more See more

Enablement trends for security products (public beta)

March 19, 2024

You can now monitor enablement trends for all security products within your GitHub organization. This functionality is designed to give you a detailed overview of how your organization is implementing security product coverage.

new tool adoption report

Explore enablement trends for historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends page, visit security overview at the organization level. You can find security overview by clicking on the “Security” tab.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and join the discussion within the GitHub Community

See more See more

CodeQL 2.16.4: AI-powered autofixes for Java, support for C# 12 & Go 1.22, new queries

March 12, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.

The number of generated autofixes is now also visible in a dedicated security overview tile:

security overview showing a counter of fix suggestions

Furthermore, this release

adds support for C# 12 and .NET 8,
adds support for Go 1.22 and improves file coverage of Go analyses for certain project setups,
adds a new Java query for finding instances of keys generated for biometric authentication in an insecure way, and
enables the NoSQL injection query for Python by default.

For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more See more

CodeQL 2.16.3: AI-powered autofixes for Python, updated queries, and security fixes

March 1, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
Two new queries:
- java/android/insecure-local-authentication for finding uses of biometric authentication APIs that do not make use of a Keystore-backed key and thus may be bypassed.
- swift/unsafe-unpacking, that detects code which extracts user-controlled zip archives without validating that the contents of the zip file are not extracted outside the destination directory.
The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more See more

CodeQL 2.16.2: New Android queries and improved precision

February 21, 2024

CodeQL 2.16.2 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Important changes in this release include:

We added two new Java / Android queries (java/android/sensitive-text and java/android/sensitive-notification) to detect sensitive data exposure via text fields and notifications.

We have improved the precision of several C/C++ queries.

We now recognize collection expressions introduced in C# 12 (e.g. [1, y, 4, .. x]).

For a full list of changes, please refer to the complete changelog for version 2.16.2

See more See more

Code scanning can now be enabled on repositories before they contain CodeQL supported languages

February 5, 2024

Code scanning can now be enabled on repositories even if they don’t contain any code written in the languages currently supported by CodeQL. Default setup will automatically trigger the first scan when a supported language is detected on the default branch. This means users can now enable code scanning using default setup, for example on empty repositories, and have confidence that they will be automatically protected in the future when the languages in the repository change to include supported languages.

This also takes effect from the organization level so you can bulk-enable code scanning on repositories without CodeQL supported languages.

Enabled on repo without supported languages

This change is now on GitHub.com and will be available in GitHub Enterprise Server 3.13. For more information, see “About code scanning default setup.”

See more See more

CodeQL 2.16.1: Swift 5.9.2 Support, New Queries, and Scanned-File Count Changes

January 30, 2024

CodeQL 2.16.1 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Important changes in this release include:

Swift 5.9.2 is now supported.

We added a new query for Swift, swift/weak-password-hashing, to detect the use of inappropriate hashing algorithms for password hashing and a new query for Java, java/exec-tainted-environment, to detect the injection of environment variables names or values from remote input.

We improved the tracking of flows from handler methods of a PageModel class to the corresponding Razor Page (.cshtml) file, which may result in additional alerts from some queries.

JavaScript now supports doT templates and Go added support for AWS Lambda functions and fasthttp framework.

In the previous version, 2.16.0, we announced that we will update the way we measure the number of scanned files in the Code Scanning UI. This change is now live for JavaScript/TypeScript, Python, Ruby, Swift, and C#.

For a full list of changes, please refer to the complete changelog for version 2.16.1.

See more See more

CodeQL 2.16: Python Dependency Installation Disabled, New Queries, and Bug Fixes

January 23, 2024

CodeQL 2.16.0 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Important changes in this release include:

In July 2023, we disabled automatic dependency installation for new CodeQL code scanning setups when analyzing Python code. With the release of CodeQL 2.16.0, we have disabled dependency installation for all existing configurations as well. This change should lead to a decrease in analysis time for projects that were installing dependencies during analysis, without any significant impact on results. A fallback environment variable flag is available to ease the transition, but will be removed in CodeQL 2.17.0. No action is required for Default setup users. Advanced setup users that had previously set the setup-python-dependencies option in their CodeQL code scanning workflows are encouraged to remove it, as it no longer has any effect.

We fixed a bug that could cause CodeQL to consume more memory than configured when using the --ram flag. If you have used this flag to manually override the memory allocation limit for CodeQL, you may be able to increase it slightly to more closely match the system’s available memory. No action is required for users of the CodeQL Action (on github.com or in GHES) who are not using this flag, as memory limits are calculated automatically.

We added 2 new C/C++ queries that detect pointer lifetime issues, and identify instances where the return value of scanf is not checked correctly. We added a new Java query that detects uses of weakly random values, which an attacker may be able to predict. Furthermore, we improved the precision and fixed potential false-positives for several other queries.

The measure of scanning Go files in the code scanning UI now includes partially extracted files, as this more accurately reflects the source of extracted information even when parts of a file could not be analyzed. We will gradually roll this change out for all supported languages in the near future.

We fixed a bug that led to errors in build commands for Swift analyses on macOS that included the codesign tool.

For a full list of changes, please refer to the complete changelog for version 2.16.0 and 2.15.5.

See more See more

Code scanning: deprecation of CodeQL Action v2

January 12, 2024

On December 13, 2023, we released CodeQL Action v3, which runs on the Node.js 20 runtime. CodeQL Action v2 will be deprecated at the same time as GHES 3.11, which is currently scheduled for December 2024.

How does this affect me?

Default setup

Users of code scanning default setup do not need to take any action in order to automatically move to CodeQL Action v3.

Advanced setup

Users of code scanning advanced setup need to change their workflow files in order to start using CodeQL Action v3.

Users of GitHub.com and GitHub Enterprise Server 3.12 (and newer)

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
GitHub Enterprise Server (GHES) 3.12 (and newer)

Users of the above-mentioned platforms should update their CodeQL workflow file(s) to refer to the new v3 version of the CodeQL Action. Note that the upcoming release of GitHub Enterprise Server 3.12 will ship with v3 of the CodeQL Action included.

Users of GitHub Enterprise Server 3.11

While GHES 3.11 does support Node 20 Actions, it does not ship with CodeQL Action v3. Users who want to migrate to v3 on GHES 3.11 should request that their system administrator enables GitHub Connect to download v3 onto GHES before updating their workflow files.

Users of GitHub Enterprise Server 3.10 (and older)

GHES 3.10 (and earlier) does not support running Actions using the Node 20 runtime and is therefore unable to run CodeQL Action v3. Please upgrade to a newer version of GitHub Enterprise Server prior to changing your CodeQL Action workflow files.

Exactly what do I need to change?

To upgrade to CodeQL Action v3, open your CodeQL workflow file(s) in the .github directory of your repository and look for references to:

github/codeql-action/init@v2
github/codeql-action/autobuild@v2
github/codeql-action/analyze@v2
github/codeql-action/upload-sarif@v2

These entries need to be replaced with their v3 equivalents:

github/codeql-action/init@v3
github/codeql-action/autobuild@v3
github/codeql-action/analyze@v3
github/codeql-action/upload-sarif@v3

Can I use Dependabot to help me with this upgrade?

Yes, you can! For more details on how to configure Dependabot to automatically upgrade your Actions dependencies, please see this page.

What happens in December 2024?

In December 2024, CodeQL Action v2 will be officially deprecated (at the same time as the GHES 3.11 deprecation). At that point, no new updates will be made to CodeQL Action v2, which means that new CodeQL analysis capabilities will only be available to users of CodeQL Action v3. We will keep a close eye on the migration progress across GitHub. If many workflow files still refer to CodeQL Action v2, we might consider scheduling one or more brownout moments later in the year to increase awareness.

See more See more

Code scanning is now more adaptable to your codebase with CodeQL threat model settings for Java (beta)

December 20, 2023

Use CodeQL threat model settings for Java (beta) to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in your code.

No two codebases are the same and each is subject to different security risks and threats. Such risks and threats can be captured in a codebase's threat model which, in turn, depends on how the code has been designed and will be deployed. To understand the threat model you need to know what type of data is untrusted and poses a threat to the codebase. Additonally, you need to know how that unstrusted (or tainted) data interacts with the application. For example, one codebase might only consider data from remote network requests to be untrusted, whereas another might also consider data from local files to be tainted.

CodeQL can perform security analysis on all such codebases, but it needs to have the right context. It needs the threat model in order to behave slightly differently on different codebases. That way, CodeQL can include (or exclude) the appropriate sources of tainted data during its analysis, and flag up the most relevant security vulnerabilities to developers who work on the code.

CodeQL's default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. Using new CodeQL threat model settings for Java, you can now optionally mark local sources of data as tainted. This includes data from local files, command-line arguments, environment variables, and databases. You can enable the local threat model option in code scanning to help security teams and developers uncover and fix more potential security vulnerabilities in their code.

CodeQL threat model settings can be configured in repositories running code scanning with CodeQL via default setup in the GitHub UI. Alternatively, you can specify it through advanced setup (in an Actions workflow file).

If your repository is running code scanning default setup on Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.

If your repository is running code scanning advanced setup on Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.

CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java code. It will be shipped in GitHub Enterprise Server 3.13.

See more See more

Code scanning default setup is now available for self-hosted runners on GitHub.com

December 19, 2023

Code scanning default setup is now available for self-hosted runners on GitHub.com. To use default setup for code scanning, assign the code-scanning label to your runner. Default setup now uses actions/github-script instead of the GH CLI. If your organization has a policy which limits GitHub Actions you will need to allow this action in your policy.

Code scanning sees assigned runners when default setup is enabled. As a result, if a runner is assigned to a repository which is already running default setup, you must disable and re-enable default setup to initiate using the runner.

Larger runners are in beta support, with the limitations that you can only define one single larger runner at the org level with the label code-scanning, and Swift analysis is not supported.

For more information, see “Using labels with self-hosted runners.”

Runner with code-scanning label

This is now available on GitHub.com. Self-Hosted runners for default setup are already supported from GitHub Enterprise Server 3.9.

See more See more

CodeQL 2.15.4: Performance Improvements and Updated Language Support

December 13, 2023

CodeQL 2.15.4 is rolling out to users of GitHub code scanning on github.com this week, and all new functionality will also be included in GHES 3.12. Users of GHES 3.11 or older can upgrade their CodeQL version.

Important changes in this release include:

Performance improvements on large runners (instances with 8 to 16 vCPUs) lead to a reduction in end to end analysis time between 5% and 15%, due to more effective parallelization. Where possible, upgrading to larger instances is recommend for projects that currently use 4 or fewer vCPUs and take more than 10 minutes to analyze.
Analysis times for C and C++ code bases of any size are reduced on average by 6%
TypeScript 5.3, Java 21 and Python 3.12 are now supported.
We have resolved a problem causing scan timeouts on macOS (the default for Swift analysis). This problem affected up to 10% of scans for some projects. Although timeouts may still occur, they are now expected in less than 0.5% of scans. We are actively addressing the remaining issues.

For a full list of changes, please refer to the complete changelog for version 2.15.4.

See more See more

CodeQL 2.15.3 supports Swift 5.9, improves C# analysis speed

November 22, 2023

CodeQL 2.15.3 is rolling out to users of GitHub code scanning on github.com this week, and all new functionality will also be included in GHES 3.12. Users of GHES 3.11 or older can upgrade their CodeQL version.

Important changes in this release include:

CodeQL now runs more than 400 security checks across all supported languages when configured with the Default suite, 10% more compared to a year ago
CIL extraction for C# code bases is now disabled by default, which improves query execution time for C# CodeQL databases by up to 25%
Swift code bases using Swift 5.9.1 can now be analyzed using CodeQL, and two new security queries have been added
We’ve also improved the depth and quality of existing queries

For a full list of changes, please refer to the complete changelog for version 2.15.3.

See more See more

View more changes