Faster CodeQL Scans in Pull Requests

GitHub has announced an improvement to CodeQL incremental analysis that significantly speeds up security scans during pull requests. The enhancement builds on an earlier 20% improvement by now generating a CodeQL database specifically for new or changed code and merging it with a cached database representing your entire codebase.

Performance Gains Across Languages

Analysis across over 100,000 repositories reveals substantial speedups depending on baseline scan duration:

• JavaScript/TypeScript: 29–70% faster depending on repository size
• Python: 11–70% faster
• Ruby: 10–63% faster
• Java: 22–51% faster
• C#: 4–8% faster

Larger repositories (those with scan times exceeding 7 minutes) see the most dramatic improvements, with JavaScript/TypeScript and Python projects experiencing up to 70% acceleration.

Availability and Requirements

The improved incremental analysis is enabled by default for C#, Java, JavaScript/TypeScript, Python, and Ruby projects using the build mode none extraction mechanism in both default and advanced setup on github.com. This applies only to repositories using the default CodeQL query suite.

Developers should note that CodeQL CLI support for incremental scanning will arrive at a later date. Teams using CodeQL through GitHub's web interface will benefit immediately from these improvements.

What Developers Need to Know

No action is required for most users—incremental analysis is enabled automatically. Teams using advanced CodeQL configurations or custom query suites may not see these performance gains. For those running CodeQL locally via CLI, the incremental scanning feature is still forthcoming.