Back to news
security Priority 4/5 7/14/2026, 11:05:16 AM

CodeQL 2.26.0 Adds Kotlin 2.4.0 Support and AI Prompt Injection Detection for SDKs

CodeQL 2.26.0 Adds Kotlin 2.4.0 Support and AI Prompt Injection Detection for SDKs

GitHub has released CodeQL 2.26.0, updating its static analysis engine to support Kotlin versions up to 2.4.0. This release introduces significant security scanning capabilities aimed at modern application architectures, specifically targeting security issues found in applications integrating generative AI models.

Related tools

Recommended tools for this topic

These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.

#github#codeql#security#kotlin#ai

Comparison

AspectBefore / AlternativeAfter / This
Kotlin Language SupportSupported versions prior to Kotlin 2.4.0Full support extended up to Kotlin 2.4.0
AI Prompt Injection DetectionNo built-in sinks for OpenAI, Anthropic, or Google GenAI SDKs in JavaScript/TypeScriptDetects untrusted input reaching system prompts, legacy prompts, and realtime instructions
C# Razor Pages SupportRazor Page handler methods not recognized as remote flow sourcesIdentifies OnGet and OnPost handlers as sources to trace vulnerabilities like SQL injection
Go Logging AnalysisLimited coverage for the standard log/slog packageModeled log/slog packages to accurately detect log injection vulnerabilities

Action Checklist

  1. Verify the active CodeQL version in your CI/CD pipelines Ensure your runner is utilizing CodeQL engine version 2.26.0 or higher.
  2. Review JavaScript/TypeScript codebases utilizing AI SDKs Pay close attention to OpenAI Realtime sessions, Anthropic completions, or Google GenAI instructions.
  3. Check C# projects for Razor Page handler method vulnerabilities Run scans on OnGet and OnPost handlers that handle direct user input.
  4. Enable log injection checks in Go applications The log/slog package is now covered in default telemetry and security configurations.

Source: GitHub Changelog

This page summarizes the original source. Check the source for full details.

Related