software

CodeQL 2.23.7 and 2.23.8 add security queries for Go and Rust

Published: (December 18, 2025 at 06:03 PM EST)
2 min read
Source: GitHub Changelog

Source: GitHub Changelog

CodeQL is the static analysis engine behind GitHub’s Code Scanning and Code Quality products, which find and remediate issues relating to code quality and security. We’ve recently released CodeQL 2.23.7 and 2.23.8. These releases bring new security queries for Go and Rust, improved overall analysis accuracy, and framework updates across several languages.

Query changes

Go

  • Added go/cookie-secure-not-set to detect cookies without the Secure flag set, potentially leading to sensitive information exposure.
  • Added go/weak-crypto-algorithm to detect the use of broken or weak cryptographic algorithms.
  • Added go/weak-sensitive-data-hashing to detect the use of weak cryptographic hash algorithms on sensitive data.
  • Promoted go/cookie-http-only-not-set from the experimental pack; it identifies cookies lacking the HttpOnly flag, a potential XSS risk. Originally contributed by GitHub user @edvraa.

Rust

  • Added rust/xss to detect cross‑site scripting vulnerabilities.
  • Added rust/disabled-certificate-check to detect disabled TLS certificate checks.
  • Added three example queries (rust/examples/empty-if, rust/examples/simple-sql-injection, rust/examples/simple-constant-password) to help you learn to write CodeQL queries for Rust.

Language and framework support

Java/Kotlin

  • Java analysis no longer forces --source and --target compiler flags for Maven builds; Maven now uses the project’s own compiler configuration, improving build compatibility.
  • Operations that extract only a fixed‑length prefix or suffix of a string (e.g., substring in Java or take in Kotlin) limited to 7 characters or fewer are now treated as sanitizers for the java/sensitive-log query, since the log message contents are truncated.

JavaScript/TypeScript

  • Fixed a bug in the Next.js model that caused the analysis to miss server‑side taint sources in the app/pages folder.

Rust

  • Improved the rust/access-invalid-pointer query with new flow sources and barriers.

C#

  • Compilation errors are now included in the debug log when using buildless analysis (the default mode).
  • Added an extractor option to specify a custom directory for dependency downloads in buildless mode: -O buildless_dependency_dir=.

Python

  • Fixed a bug in the Python extractor’s import handling where a missing import in find_module raised a KeyError. This is a contribution from GitHub user @akoeplinger.

For a full list of changes, refer to the complete changelogs for versions 2.23.7 and 2.23.8. Every new version of CodeQL is automatically deployed to users of GitHub Code Scanning and GitHub Code Quality on GitHub.com. The features and fixes introduced in these releases will be included in GitHub Enterprise Server (GHES) version 3.20. If you use an older GHES version, you can manually upgrade your CodeQL version.

Back to Blog

Related posts

Read more »

Love for Go and Rust rant!

> Warning: rant! Introduction I'm so tired of this shit. Every few weeks, some Rustacean slithers in here with their smug “but have you tried fearless concurren...