CodeQL 2.23.0 Enhances Security Detection with Rust Log Injection Support
Rongchai Wang
Sep 10, 2025 21:34
GitHub’s CodeQL 2.23.0 release introduces enhanced security detection, including a new Rust log injection query, improved data flow analysis, and faster extraction processes.
GitHub has announced the release of CodeQL 2.23.0, bringing significant improvements to its static analysis engine, which is pivotal for code scanning and security issue remediation. This latest update introduces a host of new features, including enhanced support for Rust, Java, C/C++, C#, and Python, according to The GitHub Blog.
Enhanced Rust Security
The most notable addition in CodeQL 2.23.0 is the introduction of a new Rust query for log injection detection, which helps identify potential vulnerabilities where log entries might be manipulated by malicious users. The Rust extractor has also been optimized for faster and more reliable performance, with improved modeling of the std::fs, async_std::fs, and tokio::fs libraries. These enhancements are expected to increase the detection of alerts related to Rust path injections.
Java and C/C++ Improvements
In the realm of Java, the update promotes the query java/insecure-spring-actuator-config to the main query pack, now renamed as java/spring-boot-exposed-actuators-config. This query detects the exposure of Spring Boot actuators via configuration files and will now be included in default scans. Additionally, a bug causing false negatives in the java/dereferenced-value-may-be-null query has been addressed.
For C/C++ developers, CodeQL 2.23.0 introduces flow summaries for Microsoft::WRL::ComPtr member functions, enhancing the precision of virtual function call resolutions. This improvement is expected to reduce false positives in C++ project analyses.
Updates for C# and Python
C# developers will benefit from a fix in data flow analysis, allowing more accurate tracking of flows through calls using the base qualifier. The default taint tracking configuration has been updated to cover implicit reads from collections, thereby increasing flow coverage and reducing false negatives.
Python queries have been modernized to produce more comprehensive results, particularly in cases where exceptions are conditionally raised. The updates also address alerts specific to Python 2, ensuring queries like py/unexpected-raise-in-special-method, py/incomplete-ordering, and py/equals-hash-mismatch are more relevant to current Python versions.
Deployment and Future Updates
All new features in CodeQL 2.23.0 are automatically deployed to GitHub code scanning users on github.com and will be included in future GitHub Enterprise Server releases. Users operating older versions of the GitHub Enterprise Server can manually upgrade to access the latest CodeQL capabilities.
Image source: Shutterstock
