GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis
TL;DR · AI 摘要
GitHub为CodeQL引入声明式安全建模能力,支持用YAML定义数据流策略与信任边界,显著提升自定义漏洞检测的开发效率与跨语言覆盖灵活性。
核心要点
- 声明式建模将安全规则从代码逻辑解耦为可版本化配置
- YAML驱动的安全策略支持快速迭代和团队协作评审
- 新能力降低编写复杂CodeQL查询的门槛,加速SDL集成
GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis - InfoQ
Your choice regarding cookies on this site
We use cookies to optimise site functionality and give you the best possible experience.
I Accept I Do Not Accept Settings
[BT](http://www.infoq.com/int/bt/ "bt")
InfoQ Software Architects' Newsletter
A monthly overview of things you need to know as an architect or aspiring architect.
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
Close
Live Webinar and Q&A: Designing Data Layers for Agentic AI: Patterns for State, Memory, and Coordination at Scale (May 12, 2026)Save Your Seat
Close
Toggle Navigation
Facilitating the Spread of Knowledge and Innovation in Professional Software Development
English edition
[Write for InfoQ](http://www.infoq.com/write-for-infoq/ "Write for InfoQ")
Search
Unlock the full InfoQ experience
Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources.
or
Don't have an InfoQ account?
- Stay updated on topics and peers that matter to youReceive instant alerts on the latest insights and trends.
- Quickly access free resources for continuous learningMinibooks, videos with transcripts, and training materials.
- Save articles and read at anytimeBookmark articles to read whenever youre ready.
NewsArticlesPresentationsPodcastsGuides
Topics
[Development](http://www.infoq.com/development/ "Development")
- [Java](http://www.infoq.com/java/ "Java")
- [Kotlin](http://www.infoq.com/kotlin/ "Kotlin")
- [.Net](http://www.infoq.com/dotnet/ ".Net")
- [C#](http://www.infoq.com/c_sharp/ "C#")
- [Swift](http://www.infoq.com/swift/ "Swift")
- [Go](http://www.infoq.com/golang/ "Go")
- [Rust](http://www.infoq.com/rust/ "Rust")
- [JavaScript](http://www.infoq.com/javascript/ "JavaScript")
Featured in Development
Dany Lepage discusses the architectural journey of porting a hit VR title to seven non-VR platforms. He explains how his team solved the challenges of cross-progression, diverse input paradigms, and maintaining release velocity across Steam, iOS, and PlayStation. Beyond the tech, he shares candid lessons on the "product fit" gap when translating immersive social presence to 2D screens.
All in developmentFollow Topic
[Architecture & Design](http://www.infoq.com/architecture-design/ "Architecture & Design")
- [Architecture](http://www.infoq.com/architecture/ "Architecture")
- [Enterprise Architecture](http://www.infoq.com/enterprise-architecture/ "Enterprise Architecture")
- [Scalability/Performance](http://www.infoq.com/performance-scalability/ "Scalability/Performance")
- [Design](http://www.infoq.com/design/ "Design")
- [Case Studies](http://www.infoq.com/Case_Study/ "Case Studies")
- [Microservices](http://www.infoq.com/microservices/ "Microservices")
- [Service Mesh](http://www.infoq.com/servicemesh/ "Service Mesh")
- [Patterns](http://www.infoq.com/DesignPattern/ "Patterns")
- [Security](http://www.infoq.com/Security/ "Security")
Featured in Architecture & Design
Jimmy Morzaria discusses the evolution of Stripe’s database tier to support 5 million QPS with 5.5 nines of reliability. He explains the architecture of DocDB and shares how Stripe leverages a custom zero-downtime data movement platform to perform horizontal sharding, version upgrades, and multi-tenant migrations - all while maintaining the strict consistency required for global commerce.
All in architecture-designFollow Topic
[AI Infrastructure](http://www.infoq.com/ai-ml-data-eng/ "AI Infrastructure")
- [Big Data](http://www.infoq.com/bigdata/ "Big Data")
- [Machine Learning](http://www.infoq.com/machinelearning/ "Machine Learning")
- [NoSQL](http://www.infoq.com/nosql/ "NoSQL")
- [Database](http://www.infoq.com/database/ "Database")
- [Data Analytics](http://www.infoq.com/data-analytics/ "Data Analytics")
- [Streaming](http://www.infoq.com/streaming/ "Streaming")
Featured in AI, ML & Data Engineering
This article describes how a production delta-index pipeline migrated from scheduled batch to micro-batch Spark Structured Streaming. It covers why record-level streaming was rejected, how partition-based watermarks replaced fragile S3 completion markers, overlap-window correctness, and restart-as-design strategies for better predictability in object-store–based ingestion systems.
All in ai-ml-data-engFollow Topic
[Culture & Methods](http://www.infoq.com/culture-methods/ "Culture & Methods")
- [Agile](http://www.infoq.com/agile/ "Agile")
- [Diversity](http://www.infoq.com/diversity/ "Diversity")
- [Leadership](http://www.infoq.com/leadership/ "Leadership")
- [Lean/Kanban](http://www.infoq.com/lean/ "Lean/Kanban")
- [Personal Growth](http://www.infoq.com/personal-growth/ "Personal Growth")
- [Scrum](http://www.infoq.com/scrum/ "Scrum")
- [Sociocracy](http://www.infoq.com/sociocracy/ "Sociocracy")
- [Software Craftmanship](http://www.infoq.com/software_craftsmanship/ "Software Craftmanship")
- [Team Collaboration](http://www.infoq.com/team-collaboration/ "Team Collaboration")
- [Testing](http://www.infoq.com/testing/ "Testing")
- [UX](http://www.infoq.com/ux/ "UX")
Featured in Culture & Methods
Charlotte de Jong Schouwenburg discusses the "human bottlenecks" of hyper-growth. While systems scale, human cooperation often breaks down due to communication overload and lost context. She shares proven tools for behavioral scalability - including communication architecture and "engineering trust" - to help leaders maintain high-performing, autonomous teams without sacrificing speed or culture.
All in culture-methodsFollow Topic
- [Infrastructure](http://www.infoq.com/infrastructure/ "Infrastructure")
- [Continuous Delivery](http://www.infoq.com/continuous_delivery/ "Continuous Delivery")
- [Automation](http://www.infoq.com/automation/ "Automation")
- [Containers](http://www.infoq.com/containers/ "Containers")
- [Cloud](http://www.infoq.com/cloud-computing/ "Cloud")
- [Observability](http://www.infoq.com/observability/ "Observability")
Featured in DevOps
The speakers explain the inherent tension between service efficiency and reliability at Netflix's global scale. They share a mental model for "risk-adjusted net value," moving beyond simple CPU utilization to focus on capacity buffers. They discuss hardware shaping, proactive traffic steering, and reactive levers like "hammers" and prioritized load shedding to protect critical playback.
All in devopsFollow Topic
[Events](https://events.infoq.com/ "Events")
Helpful links
- [About InfoQ](http://www.infoq.com/about-infoq "About InfoQ")
- [InfoQ Editors](http://www.infoq.com/infoq-editors "InfoQ Editors")
- [Write for InfoQ](http://www.infoq.com/write-for-infoq "Write for InfoQ")
- [About C4Media](https://c4media.com/ "About C4Media")
- [Diversity](https://c4media.com/diversity "Diversity")
Choose your language
[InfoQ Homepage](http://www.infoq.com/ "InfoQ Homepage")[News](http://www.infoq.com/news "News")GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis
[DevOps](http://www.infoq.com/Devops/ "DevOps")
GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis
May 05, 2026 3 min read
by
- Craig Risi
Follow Software Architect | Game Designer| Writer | Speaker
#### Write for InfoQ
Feed your curiosity.Help 550k+ global
senior developers
each month stay ahead.Get in touch
Log in to listen to this article
Audio ready to play
Your browser does not support the audio element.
0:00 0:00
Normal 1.25x 1.5x
Like
GitHub has introduced a significant update to its CodeQL engine, enabling developers to define custom sanitizers and validators directly through "models-as-data," a move that simplifies how teams extend security analysis across their codebases. The update allows engineers to configure how trusted and validated data is handled without writing custom CodeQL queries, marking a shift toward more accessible and scalable application security practices.
The enhancement addresses a key limitation in traditional static analysis workflows, where extending detection logic often required deep expertise in query languages. With the new approach, teams can define these behaviors declaratively using YAML-based data extensions, making it easier to adapt CodeQL to project-specific frameworks, internal libraries, and custom validation logic.
At the core of the update is improved control over taint tracking, a method used to trace how untrusted data flows through an application. CodeQL now allows developers to define sanitizers (functions that clean or neutralize data) and validators (checks that confirm data safety) as "barriers" and "barrier guards." These constructs determine where potentially unsafe data should stop propagating through the system.
Two new extensible predicates, barrierModel and barrierGuardModel, enable this functionality. The former stops tainted data flow when a function is known to sanitize inputs, while the latter halts propagation when a validation condition is met. Previously, implementing this required writing custom CodeQL logic; now it can be done declaratively, reducing complexity and lowering the barrier to entry for teams adopting advanced security analysis.
The update applies across a wide range of programming languages, including C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, and Rust. This broad support ensures that organizations with polyglot codebases can standardize how they model and enforce security rules without duplicating effort across different tooling or languages.
By allowing teams to encode knowledge about their own systems, such as internal sanitization functions or validation patterns, CodeQL can produce more accurate and context-aware results, reducing false positives and improving the detection of real vulnerabilities. This is particularly important in modern development environments where custom frameworks and abstractions can obscure traditional analysis.
The introduction of models-as-data reflects a broader trend in application security: moving from code-centric customization to data-driven configuration. Instead of writing and maintaining complex queries, teams can now manage security logic as structured data, making it easier to version, share, and scale across organizations.
This aligns with GitHub's ongoing efforts to integrate security more deeply into developer workflows, enabling teams to extend built-in tooling rather than relying on external or bespoke solutions. It also supports faster onboarding for security practices, as developers can adopt and adapt models without specialized training in CodeQL's query language.
Ultimately, the update aims to make advanced security analysis more accessible, flexible, and maintainable. By reducing the need for custom query development, GitHub is enabling more teams to tailor CodeQL to their specific environments, closing coverage gaps and improving vulnerability detection accuracy.
Other platforms are tackling challenges similar to GitHub's CodeQL update by making security modeling more accessible, integrated, and developer-friendly, though they differ in how they balance flexibility, usability, and depth of analysis.
For example, GitLab takes a more pipeline-centric approach, embedding static application security testing (SAST), dependency scanning, and secret detection directly into CI/CD workflows. Rather than exposing deep customization through query languages, GitLab emphasizes prebuilt rules and policy-driven enforcement, making it easier for teams to adopt security without needing specialized expertise. Similarly, Snyk focuses on developer-first security, automatically identifying vulnerabilities in code and dependencies and providing remediation guidance inline, prioritizing ease of use over deep customization.
On the more flexible and customizable end of the spectrum, tools like Semgrep offer an alternative model closer to what GitHub is evolving toward. Semgrep allows teams to define custom security rules using code-like patterns, avoiding the complexity of full query languages while still enabling tailored analysis. This makes it easier for developers to extend detection logic. Meanwhile, platforms such as SonarQube provide continuous code inspection, combining security, quality, and maintainability checks into a unified dashboard, with a strong focus on ongoing visibility rather than deep, query-driven modeling.
Across these approaches, a clear trend is emerging: while GitHub's CodeQL update moves toward data-driven, declarative security modeling, the broader ecosystem is converging on reducing friction, whether through simplified rule definitions, built-in policies, or tighter CI/CD integration. The key trade-off remains consistent: platforms must balance depth and precision of analysis with usability and scalability for everyday developers, and each tool is evolving along that spectrum in different ways.
About the Author
#### Craig Risi
Craig Risi is a man of many talents but has no sense of how to use them. He could be out changing the world but prefers to make software instead. He possesses a passion for software design, but more importantly software quality and designing systems in a technically diverse and constantly evolving tech world. Craig is also the writer of the book, Quality By Design: Designing Quality Software Systems, and writes regular articles on his blog sites and various other tech sites around the world. When not playing with software, he can often be found writing, designing board games, or running long distances for no apparent reason.
Show more Show less
#### This content is in the DevOps topic
Follow Topic
##### Related Topics:
Followers: 5062
Follow Topic
Followers: 40
Follow Topic
Followers: 90
Follow Topic
Followers: 0
Follow Topic
* #### Related Editorial
* #### Related Sponsors
- #### Related Sponsor
Intelligent Cloud Infrastructure for your backup, data lakes, and AI. Teams from SoFi, Red Bull, and Structured Web use Eon to streamline backup, slash recovery time, and turn their data into live, searchable assets while reducing backup costs by up to 50%. [Learn more now >](http://www.infoq.com/url/f/17112ca6-1da3-4215-bfb2-12fab86c2076/)
Related Content
Apr 29, 2026
Apr 28, 2026
Apr 22, 2026
Apr 21, 2026
Apr 12, 2026
Apr 08, 2026
Apr 17, 2026
Apr 30, 2026
Apr 24, 2026
Related Sponsors
- #### Portable by Design: Data Mobility & Recovery Patterns for Multi-Cloud Systems (Live Webinar May 21, 2026) - Save Your Seat
Multi-cloud flexibility often fails at the data layer. This session treats portability as an architectural challenge, exploring patterns like decoupled storage and snapshot replication. It also weighs the trade-offs between latency and consistency for your design.
- #### How an AI Agent Deleted Production Data and Its Backups at a Company (and How to Protect Yours)
AI agents can trigger catastrophic data loss by deleting production and backups using valid credentials. This article explains why traditional backup models fail under autonomous systems and how isolated, immutable recovery layers prevent AI‑driven outages.
- Sponsored by
Related Content
Apr 14, 2026
- ##### Anthropic Releases Claude Mythos Preview with Cybersecurity Capabilities but Withholds Public Access
Apr 13, 2026
Dec 16, 2025 
May 05, 2026
May 05, 2026 
May 05, 2026
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
- ##### [Cloudflare Introduces Flagship: an Edge-Native Feature Flag Service Built on OpenFeature](http://www.infoq.com/news/2026/05/cloudflare-flagship-openfeature/ "Cloudflare Introduces Flagship: an Edge-Native Feature Flag Service Built on OpenFeature")
- ##### [QCon San Francisco 2026: 12 Tracks Announced](http://www.infoq.com/news/2026/04/qconsf-2026-tracks-announced/ "QCon San Francisco 2026: 12 Tracks Announced")
- ##### [Microsoft's Russinovich and Hanselman Warn AI Is Hollowing out the Junior Developer Pipeline](http://www.infoq.com/news/2026/04/junior-developer-pipeline-crisis/ "Microsoft's Russinovich and Hanselman Warn AI Is Hollowing out the Junior Developer Pipeline")
- ##### [Inside Claude Code Auto Mode: Anthropic’s Autonomous Coding System with Human Approval Gates](http://www.infoq.com/news/2026/05/anthropic-claude-code-auto-mode/ "Inside Claude Code Auto Mode: Anthropic’s Autonomous Coding System with Human Approval Gates")
- ##### [Cloudflare Processes 10M+ Daily Insights with New Security Overview Dashboard](http://www.infoq.com/news/2026/05/cloudflare-security-dashboard/ "Cloudflare Processes 10M+ Daily Insights with New Security Overview Dashboard")
- ##### [Confluent Moves Schema IDs to Kafka Headers to Simplify Schema Governance](http://www.infoq.com/news/2026/05/confluent-kafka-header-schema-id/ "Confluent Moves Schema IDs to Kafka Headers to Simplify Schema Governance")
- ##### [The Human Scalability Problem: Why Your Teams Don’t Scale Like Your Code](http://www.infoq.com/presentations/human-scalability/ "The Human Scalability Problem: Why Your Teams Don’t Scale Like Your Code")
- ##### [Driving and Measuring the Impact of Platform Engineering](http://www.infoq.com/news/2026/04/measure-platform-engineering/ "Driving and Measuring the Impact of Platform Engineering")
- ##### [How Observability and Telemetry Can Enhance the Practice of Software Engineering](http://www.infoq.com/news/2026/04/observability-telemetry/ "How Observability and Telemetry Can Enhance the Practice of Software Engineering")
- ##### [Mistral Adds Remote Agents and Work Mode to Le Chat](http://www.infoq.com/news/2026/05/mistral-agents-lechat/ "Mistral Adds Remote Agents and Work Mode to Le Chat")
- ##### [From Batch to Micro-Batch Streaming: Lessons Learned the Hard Way in a Delta Index Pipeline](http://www.infoq.com/articles/micro-batch-streaming-lessons-learned/ "From Batch to Micro-Batch Streaming: Lessons Learned the Hard Way in a Delta Index Pipeline")
- ##### [Cloudflare Builds High-Performance Infrastructure for Running LLMs](http://www.infoq.com/news/2026/05/cloudflare-llm-infrastructure/ "Cloudflare Builds High-Performance Infrastructure for Running LLMs")
- ##### [How Netflix Shapes our Fleet for Efficiency and Reliability](http://www.infoq.com/presentations/strategy-workload-hardware/ "How Netflix Shapes our Fleet for Efficiency and Reliability")
- ##### [GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis](http://www.infoq.com/news/2026/05/github-codeql-security-modeling/ "GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis")
- ##### [Three Pillars of Platform Engineering: A Virtuous Cycle](http://www.infoq.com/articles/platform-reliability-cycle/ "Three Pillars of Platform Engineering: A Virtuous Cycle")
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
- Get a quick overview of content published on a variety of innovator and early adopter technologies
- Learn what you don’t know that you don’t know
- Stay up to date with the latest information from the topics you are interested in
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
#### Events
May 7, 2026
- ##### QCon AI Boston
June 1-2, 2026
June 10, 2026
- ##### QCon San Francisco
November 16-20, 2026
#### Follow us on
Youtube 232K FollowersLinkedin 26K FollowersInstagram NewRSS 19K ReadersX 57.1k FollowersFacebook 21K LikesBluesky New
#### Stay in the know
The InfoQ PodcastEngineering Culture PodcastThe Software Architects' Newsletter
General Feedback [feedback@infoq.com](mailto:feedback@infoq.com) Advertising [sales@infoq.com](mailto:sales@infoq.com) Editorial [editors@infoq.com](mailto:editors@infoq.com) Marketing [marketing@infoq.com](mailto:marketing@infoq.com)
InfoQ.com and all content copyright © 2006-2026 C4Media Inc.
Privacy Notice, Terms And Conditions, Cookie Policy
Close
[BT](http://www.infoq.com/int/bt/ "bt")