GitHub CodeQL 2.26.0 adds detection for AI system prompt injection

GitHub CodeQL 2.26.0 adds detection for AI system prompt injection

GitHub CodeQL 2.26.0 adds JavaScript and TypeScript detection for AI system prompt injection and expands SDK coverage.

Format News Brief
Read Time 2 min
Category Cyber Security
Updated Jul 12, 2026

GitHub has released CodeQL 2.26.0 with a security-focused update aimed squarely at the way developers are now wiring generative AI into production software. The July 10 GitHub Changelog post says the release introduces a JavaScript and TypeScript query, js/system-prompt-injection, that can detect cases where untrusted user-provided values flow into an AI model's system prompt and may let an attacker manipulate model behavior.

The change matters because many AI application bugs are not classic memory corruption or authentication failures. They can appear in the boundary between ordinary application inputs and the privileged instructions that tell a model how to act. By adding this pattern to CodeQL, GitHub is pushing prompt-injection review into the same static-analysis workflow many teams already use for SQL injection, server-side request forgery, logging issues, and other code-scanning alerts.

What changed in the release

  • CodeQL now supports Kotlin versions up to 2.4.0.
  • JavaScript and TypeScript analysis adds the new system prompt injection query.
  • GitHub expanded prompt-injection sinks for more OpenAI, Anthropic, and Google GenAI SDK APIs, including Sora prompts, OpenAI Realtime session instructions, Anthropic legacy completion prompts, and Google GenAI cached content and system instructions.
  • C# analysis now treats Razor Page handler parameters such as OnGet, OnPost, and OnPostAsync as remote flow sources, helping existing security queries find more issues in PageModel subclasses.
  • Go analysis adds models for the log/slog package so logging-related queries can cover newer Go applications.

GitHub says every new CodeQL version is automatically deployed to GitHub code scanning users on github.com, while the same functionality will be included in a future GitHub Enterprise Server release. Organizations using older GHES deployments can manually upgrade their CodeQL version if they want the newer checks before a platform release lands.

The broader signal is that AI security is becoming a normal part of software supply-chain hygiene. Instead of treating prompt injection only as a red-team exercise or runtime monitoring problem, GitHub is giving developers a way to catch risky data flows earlier, during code review and continuous integration. That will not remove the need for model-specific testing or runtime guardrails, but it gives security teams one more enforceable control as AI SDKs spread through everyday web and enterprise applications.

Sources

Cover photo by Al Nahian on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...