Release 2.23.7 (2025-12-05)

Deprecations

• The --save-cache flag to codeql database run-queries and other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.7.

Breaking changes

• The LGTM results format for uploading to LGTM has been removed.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.6.

Breaking changes

• In order to make a @kind path-problem query diff-informed, the getASelectedSourceLocation and getASelectedSinkLocation predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink in addition to any other locations that are selected by the query. See the QLdoc for more details.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.5.

Breaking changes

• The --permissive command line option has been removed from the C/C++ extractor, and passing the option will make the extractor fail. When calling the extractor directly, --permissive should no longer be passed.

Bugs fixed

• Fixed a bug that made many codeql subcommands fail with the message not in while, until, select, or repeat loop on Linux or macOS systems where /bin/sh is zsh.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.3.

New features

• CodeQL Go analysis now supports the "Git Source" type for private package registries. This is in addition to the existing support for the "GOPROXY server" type.

Fixes

• The codeql generate query-help command now prepends the query's name (taken from the .ql file) as a level-one heading when processing markdown query help, for consistency with help generated from a .qhelp file.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.2.

Release 2.23.1 (2025-09-23)

New features

• CodeQL now adds the sources and sinks of path alerts to the relatedLocations
  property of SARIF results if they are not included as the primary location or
  within the alert message. This means that path alerts will show on PRs if a
  source or sink is added or modified, even for queries that don't follow the
  common convention of selecting the sink as the primary location and mentioning
  the source in the alert message.

• CodeQL now populates file coverage information for GitHub Actions on
  the tool status page for code scanning.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.1.

Miscellaneous

• The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
  CLI has been updated to version 21.0.8.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.23.0.

There are no user-facing CLI changes in this release.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.22.4.

New features

• The codeql database cleanup command now takes the --cache-cleanup=overlay option, which trims the cache to just the data that will be useful when evaluating against an overlay.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.22.3.

Bug fix

• Fixes a bug in query suites where the version property of an import instruction was ignored.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.22.2.