CodeQL 2.26.0 Introduces Kotlin 2.4.0 Support and AI Prompt Injection Detection for JS and TS

GitHub has rolled out CodeQL version 2.26.0, updating its static analysis engine to support contemporary language specifications and AI security models. This release introduces support for Kotlin 2.4.0, allowing teams working on the latest Kotlin versions to run deep security scans. Furthermore, CodeQL addresses emerging security risks in generative AI applications by adding dedicated queries designed to flag prompt injection vulnerabilities within JavaScript and TypeScript codebases.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
A strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareA high-relevance security pick for identity, secret management, and team access control.
View 1PasswordStrong for identity, OIDC, and B2B auth readers evaluating implementation tradeoffs.
View Auth0Action Checklist
- Update GitHub Actions workflows or local CLI configurations to use CodeQL 2.26.0 Ensure your action runners pulling CodeQL are synchronized with the latest release.
- Verify Kotlin projects compile properly on Kotlin 2.4.0 before initiating the updated static analysis CodeQL relies on successful compilation for detailed semantic analysis.
- Audit JavaScript and TypeScript codebases utilizing OpenAI, Anthropic, or Google GenAI SDKs The new rules specifically target API session instructions, legacy completion endpoints, and cached content.
- Review C# Razor Page configurations and Go log/slog implementations for newly flagged remote flow sources and log injections Enhanced sink definitions might surface new alerts that were previously skipped.
Source: GitHub Changelog
This page summarizes the original source. Check the source for full details.


