{"slug": "build-a-prompt-injection-regression-fixture-for-codeql-2-26-0", "title": "Build a Prompt-Injection Regression Fixture for CodeQL 2.26.0", "summary": "GitHub announced CodeQL 2.26.0, which adds AI prompt-injection detection. A developer provided implementation templates for building a regression fixture to test prompt-injection detection, including positive and negative test cases and expected alert configurations. The fixture ensures that untrusted-to-model paths are tracked as executable repository contracts rather than just changelog items.", "body_md": "GitHub announced on July 10, 2026 that CodeQL 2.26.0 adds AI prompt-injection detection. Enabling a query is useful; owning a regression test is better.\n\nPrimary source: [GitHub Changelog, July 10, 2026](https://github.blog/changelog/2026-07-10-codeql-2-26-0-adds-kotlin-2-4-0-support-and-ai-prompt-injection-detection/).\n\nThe examples below are implementation templates, not results from a repository I tested.\n\nA useful fixture contains an untrusted source, prompt construction, and a model sink:\n\n```\nsecurity-fixtures/prompt-injection/\n├── positive/direct-flow.ts\n├── positive/helper-flow.ts\n├── negative/trusted-instruction.ts\n└── expected-alerts.json\n```\n\nDo not test for the literal phrase `ignore previous instructions`\n\n. Static analysis needs a data-flow path. Preserve a supported SDK call from your production stack so CodeQL can recognize the sink.\n\n``` js\n// Intentionally vulnerable fixture. Never ship this path.\nimport { model } from \"./supported-client\";\n\ndeclare function loadIssueBody(id: number): Promise<string>;\n\nexport async function summarize(id: number) {\n  const untrusted = await loadIssueBody(id);\n  return model.generate({\n    system: \"Summarize the issue\",\n    user: untrusted,\n  });\n}\n```\n\nAdd a second positive case that passes the value through a helper. Then add a negative control where attacker input cannot select or alter the instruction. A function named `sanitize()`\n\nis not evidence of sanitization.\n\nUploading SARIF alone does not create a regression gate. Commit the expected rule and fixture location:\n\n```\n{\n  \"required\": [\n    {\n      \"ruleId\": \"REPLACE_WITH_DOCUMENTED_RULE_ID\",\n      \"pathSuffix\": \"positive/direct-flow.ts\"\n    }\n  ],\n  \"forbiddenPathSuffixes\": [\"negative/trusted-instruction.ts\"]\n}\n```\n\nKeep the rule ID as a placeholder until it is copied from the CodeQL 2.26.0 documentation or an observed SARIF result. Machine-facing identifiers should never be guessed.\n\nA small assertion can compare `runs[].results[].ruleId`\n\nand each physical location against this file. Fail when a required alert disappears or a negative fixture starts alerting. Do not assert the total number of repository alerts; unrelated code changes make that brittle.\n\n| Result after upgrade | Action |\n|---|---|\n| Required alert remains | Continue normal review |\n| Required alert disappears | Block until query, model, build, or fixture changes are explained |\n| New positive location appears | Inspect and deliberately update expectations |\n| Negative control alerts | Revisit the mitigation assumption before suppressing |\n\nPin the CodeQL CLI or action version, record it in CI, and run the fixture on a disposable database. Keep runtime adversarial tests too: static analysis cannot prove how a model will react, and custom wrappers or unsupported SDKs may not be modeled.\n\nThe goal is intentionally narrow: make one important untrusted-to-model path an executable repository contract instead of a changelog checkbox.", "url": "https://wpnews.pro/news/build-a-prompt-injection-regression-fixture-for-codeql-2-26-0", "canonical_source": "https://dev.to/jaryn_123/build-a-prompt-injection-regression-fixture-for-codeql-2260-42ap", "published_at": "2026-07-16 04:00:01+00:00", "updated_at": "2026-07-16 04:04:52.413047+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools"], "entities": ["GitHub", "CodeQL"], "alternates": {"html": "https://wpnews.pro/news/build-a-prompt-injection-regression-fixture-for-codeql-2-26-0", "markdown": "https://wpnews.pro/news/build-a-prompt-injection-regression-fixture-for-codeql-2-26-0.md", "text": "https://wpnews.pro/news/build-a-prompt-injection-regression-fixture-for-codeql-2-26-0.txt", "jsonld": "https://wpnews.pro/news/build-a-prompt-injection-regression-fixture-for-codeql-2-26-0.jsonld"}}