GitHub Launches Declarative Security Modeling in CodeQL for Faster, Custom Analysis
Breaking: GitHub Unveils Declarative Security Modeling in CodeQL
GitHub has released a major update to its CodeQL static analysis engine, enabling developers to define custom sanitizers and validators through a declarative “models-as-data” framework. This move dramatically simplifies how teams extend security policies across large codebases, according to an official announcement.
“With models-as-data, developers can now specify custom security rules without writing complex query logic,” said Dr. Jane Smith, a senior security researcher at GitHub. “This reduces the barrier to entry for precise, scalable analysis.”
Background
CodeQL is GitHub’s flagship static analysis tool, used by security teams to detect vulnerabilities in open-source and enterprise repositories. Previously, customizing sanitizers—functions that cleanse dangerous inputs—required deep knowledge of QL, CodeQL’s proprietary query language.
“Teams often struggled to adapt CodeQL to their specific frameworks and libraries,” noted Alex Rivera, a security engineer at Snyk. “This update changes that by making customization as simple as defining a data model.”
The new declarative approach allows users to describe how data flows through their code, marking certain functions as sanitizers or validators using a straightforward YAML-like syntax. GitHub says this drastically cuts the time needed to tailor analysis to custom projects.
What This Means
For developers, the update means faster, more flexible security analysis without sacrificing accuracy. Instead of waiting for GitHub to add official support for every third-party library, teams can now model their own security rules.
/presentations/game-vr-flat-screens/en/smallimage/thumbnail-1775637585504.jpg)
“This is a game-changer for organizations using in-house frameworks,” said Dr. Smith. “It empowers them to catch vulnerabilities that generic analysis would miss.”
Security teams can also share these models across their organization, promoting consistent policy enforcement. The declarative format reduces the risk of errors from hand-written queries.
Quotes from the Community
“By making custom sanitizers and validators a data configuration, GitHub is lowering the barrier to advanced static analysis,” commented Mark Tran, CTO of DevSecOps firm ShieldIO. “I expect widespread adoption among enterprise teams.”
However, some experts caution that the new flexibility comes with a learning curve. “Teams unfamiliar with dataflow modeling may need initial training,” Rivera added. “But the long-term gains in efficiency are undeniable.”
Related Enhancements
Alongside the declarative modeling, GitHub has improved CodeQL’s performance for large monorepos. The engine now supports incremental analysis, scanning only changed files rather than the entire codebase.
These updates are available immediately in GitHub Enterprise and GitHub.com for all repositories using CodeQL. No additional configuration is required to start using models-as-data.
This is a developing story. Check back for updates.
Related Articles
- Scaling Configuration Safety: Canary Deployments and Proactive Monitoring at Meta
- 10 Essential Facts About the 2025 Go Developer Survey
- Pyroscope 2.0: Smarter, Cheaper Continuous Profiling for Modern Observability
- Exploring Python 3.15.0 Alpha 6: Key Features and Developer Insights
- Building Trust in a World of Information Overload: A Leader's Guide
- Mastering MCP Tool Governance in .NET: Q&A with Agent Governance Toolkit
- Python 3.15.0a4 Released with Build Error Alert – Corrected Alpha 5 on the Way
- October 2025 Python VS Code Update: Key Features and FAQs