Skip to content Skip to sidebar

/ Blog

Use Copilot for free Contact sales

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Use Copilot for free

Back to changelog

Release

May 28, 2025 • 2 minute read

Incremental security analysis makes CodeQL up to 20% faster in pull requests

CodeQL scans on pull requests for JavaScript, TypeScript, Java, Ruby, and Python are now up to 20% faster. This is powered by our new incremental analysis, which only analyzes new or changed code.

During our private beta and internal testing across more than 8000 repositories, significant speed improvements were observed across all supported languages. JavaScript and TypeScript experienced the highest average reduction in overall scan times, with the most impacted scans being 58% faster. In future updates, we will support additional languages not yet covered by incremental analysis in this release.

Incremental analysis does not change which alerts are reported in GitHub, nor how they are reported. So, for the vast majority of users, everything will look the same as it looks today, but faster.

This new technology does change how data is processed and reported by different components in the analysis pipeline:

The CodeQL GitHub Action will now only report new alerts found within the changed code (the diff range). Previously, the CodeQL Action returned all the alerts found in the entire codebase, and only relevant findings were reported in the pull request. If you have a special custom use of the CodeQL Action, you should be aware of this change.
When retrieving CodeQL results for a pull request using the code scanning API (using the pr query parameter), it only returns new alerts in the code that was changed in the PR. All other ways of engaging with that API remain unchanged.

This behavior applies to all CodeQL scans performed during a pull request, regardless of whether the language currently has incremental analysis support.

Incremental analysis is now available and enabled by default on github.com and will be coming to CodeQL CLI users at a later date. On GitHub Enterprise Server this feature will be available starting with version 3.19.

This release marks the first stage of our broader initiative to make CodeQL scanning faster and more efficient, providing developers with quicker feedback while maintaining the robust security checks that teams rely on.

May.20 Improvement

CodeQL adds support for Kotlin 2.2.0x in version 2.21.3

application security

May.20 Improvement

Secret scanning alerts API now supports hiding secret literals

application security

May.20 Improvement

Secret Protection expands default pattern support (May 2025)

application security

May.15 Release

CodeQL support for Swift 6.1 in version 2.21.2

application security

May.13 Improvement

Enterprise-level management for secret scanning alert dismissal requests is now available

application security

May.02 Improvement

Track progress on code scanning alerts with the new development section

application security

May.01 Improvement

GitHub now provides a warning about hidden Unicode text

application security

Apr.30 Retired

Closing down code scanning alerts tracked in tasklists

application security

Apr.29 Release

Credential revocation API to revoke exposed PATs is now generally available

application security