Language Support Expansion

CodeQL 2.24.2 extends its static analysis capabilities to the latest versions of two major programming languages. Go 1.26 is now fully supported for security analysis, enabling developers using the latest Go release to benefit from GitHub code scanning. Similarly, Kotlin support has been updated to version 2.3.10, ensuring comprehensive coverage for modern Kotlin development.

Query Accuracy Improvements

The release includes targeted refinements to reduce false positives and improve detection accuracy:

C# CSRF Detection: The cs/web/missing-token-validation query now properly recognizes antiforgery attributes applied to base controller classes. This fix addresses cases where [ValidateAntiForgeryToken] or [AutoValidateAntiforgeryToken] decorators on parent classes were previously missed, reducing false positives in ASP.NET applications.

Java/Kotlin Pattern Validation: Queries analyzing injection vulnerabilities (java/ssrf, java/path-injection, java/log-injection) now recognize @javax.validation.constraints.Pattern annotations as sanitizers. This enhancement allows developers to use standard validation annotations more effectively without triggering unnecessary security warnings.

Azure SDK and Availability

Python analysis now includes request forgery sink models for the Azure SDK, improving detection of potential SSRF vulnerabilities in cloud-based Python applications. The new functionality is automatically deployed to GitHub.com users and will be included in future GitHub Enterprise Server releases. Administrators running older GHES versions can manually upgrade their CodeQL installation.