CodeQL improves JavaScript and Ruby analysis in version 2.21.1

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released version 2.21.1 of CodeQL. Here’s what’s new and improved in this release.

GitHub Actions

  • This CodeQL release coincides with the general availability of support for analyzing GitHub Actions workflows. Learn more in the dedicated changelog post.
  • We’ve improved alert fix suggestions for the actions/missing-workflow-permissions query, making it easier for you to resolve alerts.

JavaScript/TypeScript

  • We’ve added new detections of sources and sinks in Next.js and DOM element references, improving the detection of XSS issues.
  • We’ve enhanced path injection detection for several additional methods.
  • We’ve fixed an issue where tsconfig.json files containing array literals and trailing commas weren’t correctly extracted.

Ruby

  • We’ve improved the rb/useless-assignment-to-local query, so you’ll see fewer false positives and will get helpful documentation for alerts.
  • The rb/uninitialized-local-variable query now only generates an alert when a variable is used as a method call receiver. This should reduce noise. In addition, new help content is available for this query.
  • Calls to super without explicit arguments now have their implicit arguments generated, resulting in more accurate analysis.

For a full list of changes, check out the complete changelog for version 2.21.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.1 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you’re using an older version of GHES, you can manually upgrade your CodeQL version.

Users can now choose whether merging linked pull requests automatically closes the issue

Linking a pull request to an issue makes it easy for collaborators to see that work for the issue is underway. Today, when a linked pull request is merged, the associated issue is automatically closed.

But for many teams, merging a PR doesn’t mean the work is done. There might be QA, validation, or follow-up steps before an issue is truly resolved. With this new repository setting, you can choose whether merging a pull request should automatically close its linked issues.

Repository admins and maintainers can manage this setting under Repository settingsGeneralIssues. It’s enabled by default to preserve existing behavior.

Shows the repository setting for auto-closing issues

For questions and feedback, join the discussion in GitHub Community.

See more

GitHub Copilot code review now supports C, C++, Kotlin, and Swift

GitHub Copilot code review now supports C, C++, Kotlin, Swift, and several other popular languages.

With this update, you can receive AI-powered review suggestions for even more code in your pull requests. See the full list of supported languages in our documentation.

Copilot code review now covers over 90% of the file types typically found in pull requests, so more of your code benefits from intelligent insights.

We’ve also improved the quality of suggestions. Copilot code review now surfaces higher-quality, more actionable feedback by better handling of low-confidence and suppressed results. These improvements are especially noticeable in C#, where Copilot now provides more accurate and relevant suggestions with improved version awareness.

In addition, Copilot has improved its ability to understand context. Instead of primarily looking at the file diff in the pull request, it now considers the entire file. This leads to more holistic and relevant review suggestions.

For more details or to join the conversation, visit GitHub Community discussions.

See more
View all changes