CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.26.0, which adds support for Kotlin 2.4.0, introduces a JavaScript and TypeScript query for system prompt injection, and improves analysis accuracy across multiple languages.

Language and framework support

Kotlin: CodeQL now supports Kotlin versions up to 2.4.0.

C#: We’ve added Razor Page handler method parameters, such as parameters for OnGet, OnPost, and OnPostAsync, as remote flow sources. Security queries such as cs/sql-injection can now detect vulnerabilities involving these parameters in PageModel subclasses.

Go: We’ve added models for the log/slog package introduced in Go 1.21. The go/log-injection and go/clear-text-logging queries can now detect issues in code that uses slog package functions and slog.Logger methods.