Allison reports on CodeQL 2.22.2 and 2.22.3 releases, focusing on expanded Kotlin and Rust support, enhanced static analysis, and improved security detection in GitHub code scanning workflows.

CodeQL 2.22.2/2.22.3: Expanded Kotlin & Rust Support and Improved Accuracy

Author: Allison

CodeQL, the static analysis engine at the core of GitHub code scanning, has received key updates in versions 2.22.2 and 2.22.3. These new releases focus on expanding language and framework support, refining query accuracy, and streamlining security scanning for developers.

Language & Framework Support

  • Kotlin: Now supports analysis of Kotlin 2.2.2x, broadening coverage for this growing language.
  • React: CodeQL now traces taint through the React use function and identifies parameters in React server functions as taint sources, strengthening its detection of potential vulnerabilities.
  • Rust: Rust support remains in public preview, with expanded capabilities to cover additional security issues and new language features.

Query Changes

  • JavaScript: Three older queries (js/actions/pull-request-target, js/actions/actions-artifact-leak, js/actions/command-injection) have been replaced by improved queries in the actions QL pack:
    • actions/untrusted-checkout
    • actions/secrets-in-artifacts
    • actions/command-injection (updated)

For more details, see the official changelogs for CodeQL 2.22.2 and CodeQL 2.22.3.

Deployment & Availability

  • New versions are automatically deployed to GitHub code scanning users on github.com.
  • Features will be included in GitHub Enterprise Server (GHES) 3.19.
  • If you’re on an older GHES version, manual upgrade instructions are available.

Key Takeaways

  • Enhanced language and framework support improves vulnerability detection for modern codebases.
  • Query improvements provide deeper, more accurate security insights.
  • GitHub’s ongoing commitment to secure development is reflected in frequent automatic CodeQL updates.

Developers are encouraged to review the update details for maximum benefit and to keep pipelines secure and current.

This post appeared first on “The GitHub Blog”. Read the entire article here