Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for CodeQL 2.26 Adds Free AI Prompt-Injection Detection

CodeQL 2.26 Adds Free AI Prompt-Injection Detection

CodeQL 2.26.0 adds a free js/system-prompt-injection query in code scanning, with new sinks for the OpenAI, Anthropic, and Google GenAI SDKs.

Kai Aegis
Kai AegisJul 13, 20265 min read

CodeQL 2.26.0 Teaches Code Scanning to Catch Prompt Injection

GitHub shipped CodeQL 2.26.0 on July 10, 2026, and the headline is a genuine win for anyone building with large language models: a new query family that flags AI prompt-injection vulnerabilities in JavaScript and TypeScript apps. In plain terms, CodeQL can now spot when untrusted user input flows into an AI model's system prompt — a key weak point in modern LLM software — before that code ever ships. Even better, it is free and folds right into the code scanning that millions of developers already run.

Key Takeaways

  • New query `js/system-prompt-injection` detects untrusted values reaching an AI model's system prompt in JavaScript/TypeScript apps.
  • Added prompt-injection "sinks" for the OpenAI, Anthropic, and Google GenAI SDKs — covering OpenAI Realtime session instructions, Sora prompts, Anthropic legacy completion prompts, and Google GenAI cached content and system instructions.
  • Free and built in — CodeQL is free for open source and included with GitHub Advanced Security, so the check rides along with scans teams already run.
  • Also adds Kotlin 2.4.0 support plus accuracy improvements across C#, Go, Python, Swift, and GitHub Actions.

What Is a Prompt-Injection Vulnerability?

Think of an LLM's system prompt as the standing instructions a developer gives the model: "You are a helpful support agent, stay on topic, never reveal internal data." A prompt-injection vulnerability happens when untrusted input — a user's message, a scraped web page, a file — sneaks into those trusted instructions and quietly rewrites them. The model then follows the attacker's script instead of the developer's.

It is the AI-era cousin of SQL injection: the root problem is mixing untrusted data with trusted commands. Prompt injection sits atop the OWASP Top 10 for LLM applications, which makes automated detection a real milestone.

How Does the New CodeQL Query Work?

CodeQL is GitHub's semantic code-analysis engine. Instead of matching text patterns, it builds a model of your code and traces how data flows. The new `js/system-prompt-injection` query follows taint — the path an untrusted value travels — from a source (like an HTTP request body) to a sink (the system-prompt field of an AI SDK call).

Sinks for the SDKs You Actually Use

The release taught CodeQL where those risky sinks live across three major AI SDKs:

  • OpenAI — Realtime session instructions and Sora prompts.
  • Anthropic — legacy completion prompts.
  • Google GenAI — cached content and system instructions.

By mapping these real-world entry points, CodeQL raises a flag exactly where untrusted input would land in a model's instructions — no guesswork, no bespoke rules to hand-write.

Why This Is a Big Win for Defenders

Here is what I love about this update: it is pure defender enablement. Prompt injection has been a known risk for a couple of years, but catching it usually meant manual review or specialized tooling. Now the check lives inside the same code scanning pipeline that already runs on pull requests, so a developer gets a heads-up while the code is still in review — the cheapest moment to fix anything.

That is the whole spirit of shifting security left. For more on this beat, browse our AI security coverage, and if you like tooling that hardens AI systems, see our roundup of open-source tools that defend AI agents.

More Than Prompt Injection: Kotlin and Accuracy Gains

CodeQL 2.26.0 is not a one-trick release. It adds Kotlin 2.4.0 support and ships accuracy improvements across C#, Go, Python, Swift, and GitHub Actions — fewer false positives and more signal, the quiet work that keeps a scanner trustworthy enough to leave switched on.

Getting Started Is Refreshingly Simple

If your repository already uses GitHub code scanning, the new query flows in with the engine update — there is little to configure. Open-source projects get CodeQL at no cost, and GitHub Advanced Security customers have it included. Pair it with good habits like validating inputs and separating trusted instructions from user data, and you have a layered defense. If you enjoy command-line security tooling too, check out the CVE Lite CLI vulnerability scanner for auditing dependencies.

The takeaway is genuinely encouraging: a whole new class of AI vulnerability just became something millions of developers can catch automatically, before it reaches production. That is exactly the kind of progress worth celebrating.

Sources: GitHub Changelog — July 10, 2026; CodeQL changelog (docs) — July 2026; releases.sh — July 2026

More Ai Security Stories

AI Security

Rustinel Is a Fast Open-Source EDR Built in Rust

Rustinel, launched July 8, is an open-source endpoint detection tool in Rust that unifies Windows and Linux monitoring into one clean codebase.

Kai Aegis
Kai AegisJul 11, 20265 min read
AI Security

CVE Lite CLI Scans npm Projects Right in Your Terminal

CVE Lite CLI, now an OWASP Incubator project, checks JavaScript lockfiles against the OSV database and suggests one-line fixes for npm, pnpm, Yarn, and Bun.

Kai Aegis
Kai AegisJul 11, 20264 min read
AI Security

Cloudflare Adds IPsec Downgrade Protection for Post-Quantum Tunnels

Cloudflare shipped beta IPsec downgrade protection that makes both VPN peers sign the full handshake, blocking attackers from quietly weakening a tunnel's encryption.

Kai Aegis
Kai AegisJul 9, 20265 min read