CodeQL 2.26.0 Adds Kotlin 2.4.0 Support and AI Prompt Injection Detection for SDKs

GitHub has released CodeQL 2.26.0, updating its static analysis engine to support Kotlin versions up to 2.4.0. This release introduces significant security scanning capabilities aimed at modern application architectures, specifically targeting security issues found in applications integrating generative AI models.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
A strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareA high-relevance security pick for identity, secret management, and team access control.
View 1PasswordStrong for identity, OIDC, and B2B auth readers evaluating implementation tradeoffs.
View Auth0Comparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Kotlin Language Support | Supported versions prior to Kotlin 2.4.0 | Full support extended up to Kotlin 2.4.0 |
| AI Prompt Injection Detection | No built-in sinks for OpenAI, Anthropic, or Google GenAI SDKs in JavaScript/TypeScript | Detects untrusted input reaching system prompts, legacy prompts, and realtime instructions |
| C# Razor Pages Support | Razor Page handler methods not recognized as remote flow sources | Identifies OnGet and OnPost handlers as sources to trace vulnerabilities like SQL injection |
| Go Logging Analysis | Limited coverage for the standard log/slog package | Modeled log/slog packages to accurately detect log injection vulnerabilities |
Action Checklist
- Verify the active CodeQL version in your CI/CD pipelines Ensure your runner is utilizing CodeQL engine version 2.26.0 or higher.
- Review JavaScript/TypeScript codebases utilizing AI SDKs Pay close attention to OpenAI Realtime sessions, Anthropic completions, or Google GenAI instructions.
- Check C# projects for Razor Page handler method vulnerabilities Run scans on OnGet and OnPost handlers that handle direct user input.
- Enable log injection checks in Go applications The log/slog package is now covered in default telemetry and security configurations.
Source: GitHub Changelog
This page summarizes the original source. Check the source for full details.

