{"slug": "codeql-2-26-github-scans-ai-code-for-prompt-injection", "title": "CodeQL 2.26: GitHub Scans AI Code for Prompt Injection", "summary": "GitHub released CodeQL 2.26.0 on July 10 with a new static analysis query that detects prompt injection vulnerabilities in JavaScript and TypeScript AI applications. The query, js/system-prompt-injection, uses taint analysis to trace untrusted user input flowing into AI model system prompts for OpenAI, Anthropic, and Google GenAI SDKs, flagging risks before code ships. The release follows CISA adding the Langflow AI agent platform to its Known Exploited Vulnerabilities catalog, highlighting the need for proactive security in AI code.", "body_md": "GitHub shipped [CodeQL 2.26.0 on July 10](https://github.blog/changelog/2026-07-10-codeql-2-26-0-adds-kotlin-2-4-0-support-and-ai-prompt-injection-detection/) with a new static analysis query — `js/system-prompt-injection`\n\n— that traces untrusted user input flowing into AI model system prompts in JavaScript and TypeScript. If your Node.js app passes a request body value into an OpenAI, Anthropic, or Google GenAI SDK system prompt, CodeQL flags it in CI before the code ships. Prompt injection has been the [OWASP LLM #1 risk](https://genai.owasp.org/llmrisk/llm01-prompt-injection/) since 2024. It took until now to get native static detection in a mainstream CI tool.\n\n## What the Query Actually Does\n\nThe `js/system-prompt-injection`\n\nquery uses taint analysis — the same technique CodeQL uses to detect SQL injection. It statically traces data flow from untrusted sources (HTTP request parameters, user input, form data) to AI SDK sinks where that data could control model behavior. If the chain is intact, CodeQL raises a SARIF alert showing every step of the contamination path from source to sink.\n\nThe vulnerable pattern it targets looks like this:\n\n```\n// CodeQL flags this — req.body.userInstruction reaches the system prompt\nconst response = await openai.chat.completions.create({\n  model: \"gpt-5\",\n  messages: [\n    { role: \"system\", content: req.body.userInstruction },\n    { role: \"user\", content: userMessage }\n  ]\n});\n```\n\nAn attacker who controls `req.body.userInstruction`\n\ncan override your intended system behavior, redirect tool use, or exfiltrate data the model has access to. CodeQL now catches this at the PR stage rather than in production logs.\n\n## SDK Coverage\n\nThe 2.26.0 release expanded prompt injection sinks to cover a broader set of AI SDK APIs:\n\n**OpenAI:** Sora prompts, Realtime session instructions**Anthropic:** Fable 5 system prompts, legacy completion prompts**Google GenAI:** Cached content,`system_instruction`\n\nfield\n\nThis covers the three SDKs most developers are actually shipping with. If you are using any of them in a JavaScript or TypeScript backend and constructing system prompts dynamically from user data, you are in scope for this query.\n\n## Why This Release Lands When It Does\n\nThe timing is not coincidental. On July 7, CISA added [Langflow (CVE-2026-33017)](https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog) to the Known Exploited Vulnerabilities catalog — the first AI agent platform to make it in. The RCE was exploited within 20 hours of public disclosure. Attackers systematically pulled OpenAI, Anthropic, and AWS API keys from compromised instances. It is the clearest illustration yet of what happens when AI code is not treated with the same security rigor as the rest of your stack.\n\nCodeQL 2.26 is the tooling response: instead of waiting for a runtime incident, shift the detection left into code review. A developer submits a PR with a vulnerable AI call, CodeQL raises an alert, and Copilot Autofix can propose a fix — before any user has ever touched the endpoint.\n\n## How to Enable It\n\nIf you are on GitHub.com with [GitHub Advanced Security and code scanning already configured](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql), you do not need to do anything. CodeQL 2.26 is automatically deployed, and the new query runs under the `security-extended`\n\nsuite. It will appear on your next scheduled scan or PR trigger.\n\nFor the CodeQL CLI:\n\n```\ncodeql database upgrade\ncodeql database analyze --format=sarif-latest   --output=results.sarif   javascript-security-extended.qls\n```\n\n## What It Does Not Catch\n\nThe `js/system-prompt-injection`\n\nquery is JavaScript and TypeScript only. If your AI backend is Python — which describes the majority of production AI systems — you get nothing from this release. CodeQL’s Python support exists, but prompt injection modeling has not been extended there yet.\n\nStatic analysis also cannot detect indirect prompt injection: an attacker who places malicious instructions in a document, email, or web page that your AI agent later reads and processes. That attack surface requires runtime monitoring, not code scanning. Same for RAG poisoning and multi-turn conversation hijacking.\n\nWhat CodeQL catches is the straightforward case: developer code that directly wires user input to a system prompt. It is the most preventable class of the vulnerability, which makes it the right place to start — but the rest remains unaddressed.\n\n## The Bigger Picture\n\nSecurity teams have spent years building tooling that catches SQL injection, XSS, and path traversal at the code level. The same discipline is only now reaching AI-specific vulnerabilities. CodeQL 2.26 is early — incomplete language coverage, no runtime dimension — but it marks the point where prompt injection becomes part of the standard security scan rather than a specialty concern that most teams quietly ignore.\n\nIf you are shipping JavaScript or TypeScript AI code, run the scan. If you find alerts, fix them. If you are on Python, keep watching the CodeQL changelog — the gap will close, probably faster than most things have moved in this space.", "url": "https://wpnews.pro/news/codeql-2-26-github-scans-ai-code-for-prompt-injection", "canonical_source": "https://byteiota.com/codeql-2-26-github-scans-ai-code-for-prompt-injection/", "published_at": "2026-07-14 19:09:53+00:00", "updated_at": "2026-07-14 19:31:13.125894+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "developer-tools", "artificial-intelligence"], "entities": ["GitHub", "CodeQL", "OpenAI", "Anthropic", "Google GenAI", "CISA", "Langflow", "OWASP"], "alternates": {"html": "https://wpnews.pro/news/codeql-2-26-github-scans-ai-code-for-prompt-injection", "markdown": "https://wpnews.pro/news/codeql-2-26-github-scans-ai-code-for-prompt-injection.md", "text": "https://wpnews.pro/news/codeql-2-26-github-scans-ai-code-for-prompt-injection.txt", "jsonld": "https://wpnews.pro/news/codeql-2-26-github-scans-ai-code-for-prompt-injection.jsonld"}}