CodeQL documentation
CodeQL resources

CodeQL 2.22.0 (2025-06-11)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.22.0 runs a total of 450 security queries when configured with the Default suite (covering 165 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.

CodeQL CLI

Breaking Changes

  • A number of breaking changes have been made to the C and C++ CodeQL test environment as used by codeql test run:

    • Options starting with a / are no longer supported by semmle-extractor-options. Any option starting with a / should be replaced by the equivalent option starting with a -, e.g., /D should be replaced by -D.

    • Preprocessor command line options of the form -D<macro>#<def> are no longer supported by semmle-extractor-options. -D<macro>=<def> should be used instead.

    • The /Fp and -o options are no longer supported by semmle-extractor-options. The options should be omitted.

    • The -emit-pch, -include-pch, /Yc, and /Yu options, and the --preinclude option taking a pre-compiled header as its argument, are no longer supported by semmle-extractor-options. Any test that makes use of this should be replaced by a test that invokes the CodeQL CLI with the create database option and that runs the relevant queries on the created database.

Query Packs

Minor Analysis Improvements

Python

  • Added SQL injection models from the pandas PyPI package.

New Queries

Golang

  • Query (go/html-template-escaping-bypass-xss) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the html/template package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in https://github.com/github/codeql-go/pull/493.

Language Libraries

Minor Analysis Improvements

Golang

  • The first argument of Client.Query in cloud.google.com/go/bigquery is now recognized as a SQL injection sink.

JavaScript/TypeScript

  • Added taint flow through the URL constructor from the url package, improving the identification of SSRF vulnerabilities.

Swift

  • Updated to allow analysis of Swift 6.1.2.

New Features

C/C++

  • Added a predicate getReferencedMember to UsingDeclarationEntry, which yields a member depending on a type template parameter.

  • © GitHub, Inc.
  • Terms
  • Privacy