Release 2.24.0 (2026年01月26日)

Miscellaneous

• The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal documentation generation commands has been updated to version 20260102.1.
• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.9.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.24.0.

Release 2.23.9 (2026年01月09日)

Deprecations

• Support for Kotlin version 1.6 and 1.7 has been deprecated and will be removed from CodeQL version 2.24.1. Starting with version 2.24.1, users will need to use Kotlin version >= 1.8 to extract Kotlin databases.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.9.

Release 2.23.8 (2025年12月10日)

This release contains no CLI changes.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.8.

Release 2.23.7 (2025年12月05日)

Deprecations

• The --save-cache flag to codeql database run-queries and other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.7.

Breaking changes

• The LGTM results format for uploading to LGTM has been removed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.6.

Breaking changes

• In order to make a @kind path-problem query diff-informed, the getASelectedSourceLocation and getASelectedSinkLocation predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink in addition to any other locations that are selected by the query. See the QLdoc for more details.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.5.

Breaking changes

• The --permissive command line option has been removed from the C/C++ extractor, and passing the option will make the extractor fail. When calling the extractor directly, --permissive should no longer be passed.

Bugs fixed

• Fixed a bug that made many codeql subcommands fail with the message not in while, until, select, or repeat loop on Linux or macOS systems where /bin/sh is zsh.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.3.

New features

• CodeQL Go analysis now supports the "Git Source" type for private package registries. This is in addition to the existing support for the "GOPROXY server" type.

Fixes

• The codeql generate query-help command now prepends the query's name (taken from the .ql file) as a level-one heading when processing markdown query help, for consistency with help generated from a .qhelp file.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.2.

Release 2.23.1 (2025年09月23日)

New features

• CodeQL now adds the sources and sinks of path alerts to the relatedLocations
  property of SARIF results if they are not included as the primary location or
  within the alert message. This means that path alerts will show on PRs if a
  source or sink is added or modified, even for queries that don't follow the
  common convention of selecting the sink as the primary location and mentioning
  the source in the alert message.

• CodeQL now populates file coverage information for GitHub Actions on
  the tool status page for code scanning.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.1.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.8.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.0.