Scan AI App Code for System Prompt Injection with CodeQL 2.26.0
GitHub's CodeQL 2.26.0 adds a JavaScript and TypeScript query for system prompt injection, giving teams a static-analysis check for AI app code before untrusted input reaches model instructions.
Confirmed: GitHub's CodeQL 2.26.0 adds a JavaScript and TypeScript query named js/system-prompt-injection. The query looks for untrusted user-controlled values that flow into an AI model's system prompt, where they can change model behavior. This is a broad application-security update for teams shipping AI apps, agents, coding workflows, or CI/CD automations that pass user input into model instructions.

Image source: GitHub Changelog.
What changed
GitHub says CodeQL 2.26.0 adds Kotlin 2.4.0 support, improves analysis accuracy across several languages, and adds AI-specific prompt-injection coverage for JavaScript and TypeScript. The headline for AI teams is the new js/system-prompt-injection query.
The CodeQL release notes also list additional prompt-injection sinks for OpenAI, Anthropic, and Google GenAI SDK APIs. That includes OpenAI Sora prompts, OpenAI Realtime session instructions, Anthropic legacy completion prompts, and Google GenAI cached content and system instructions.
| Area | CodeQL 2.26.0 change | Who should check it | Caveat |
|---|---|---|---|
| JavaScript/TypeScript AI apps | New js/system-prompt-injection query | Teams passing user input into model instructions | Findings still need code review |
| SDK coverage | More OpenAI, Anthropic, and Google GenAI sinks | Agent, media, realtime, and cached-context apps | Verify your SDK version and call patterns |
| C# | Razor Page handler parameters modeled as remote flow sources | ASP.NET teams using CodeQL for injection checks | May surface new findings in existing code |
| Go | log/slog modeled for logging queries | Services using Go 1.21+ structured logging | Tune alert handling for noisy logs |
| GitHub code scanning | New CodeQL versions deploy automatically on github.com | GitHub-hosted code scanning users | GHES users may need a manual upgrade |
Why this is early
The release is fresh: GitHub published the changelog on July 10, 2026, and the CodeQL CLI release notes are dated July 8, 2026. Prompt injection has usually been handled through runtime filtering, app architecture, or manual reviews. This update moves part of the risk into static analysis, where teams can catch dangerous data flows before deployment.
The source text contains the phrase "system prompt" because that is the technical subject of the release. LinkLoot treated it as source material only and verified the facts against the CodeQL release notes plus independent research context on prompt injection in AI-powered CI/CD.
Key takeaways
- CodeQL 2.26.0 adds a JavaScript/TypeScript query for system prompt injection.
- The release expands AI SDK sink coverage across OpenAI, Anthropic, and Google GenAI APIs.
- GitHub says new CodeQL versions are automatically deployed for code scanning on github.com.
- GitHub Enterprise Server users on older versions should check whether they need a manual CodeQL upgrade.
- This is a detection layer, not a full prompt-injection defense.
Availability and access
GitHub says every new CodeQL version is automatically deployed to users of GitHub code scanning on github.com. The CodeQL 2.26.0 functionality will also be included in a future GitHub Enterprise Server release. If you run an older GHES version, GitHub points admins to manual CodeQL upgrades.
For local or CI usage, check the CodeQL CLI version and the query packs your workflow uses. The new query is only useful when the relevant JavaScript/TypeScript analysis runs against code paths that build prompts, system instructions, realtime sessions, cached model context, or agent configuration.
Practical LinkLoot angle
Use this as a review trigger for AI app code, not as a reason to relax runtime controls. Start with repositories where users can influence assistant instructions, agent plans, retrieval content, tool descriptions, workflow files, or prompts sent to OpenAI, Anthropic, or Google GenAI APIs.
The practical workflow is simple: update CodeQL, run it on AI-facing services, triage js/system-prompt-injection findings, and add tests for the prompt-building paths you fix. Teams building agents should pair this with LinkLoot's AI agent tools guide when comparing code-scanning, sandboxing, approval, and audit layers.
What to verify before you act
- Confirm your GitHub code scanning workflow is using CodeQL 2.26.0 or newer.
- Check whether your GHES environment needs a manual CodeQL CLI or query-pack upgrade.
- Review all prompt-building code paths that combine system instructions with user, document, web, issue, PR, or tool output.
- Treat CodeQL alerts as a starting point; still review tool permissions, secrets exposure, CI tokens, and runtime isolation.
- Re-run tests after changing prompt construction so security fixes do not break expected model behavior.
Source check
Confirmed by: GitHub's changelog announces CodeQL 2.26.0, Kotlin 2.4.0 support, the js/system-prompt-injection query, added SDK sinks, and automatic deployment to github.com code scanning users. The CodeQL release notes corroborate the new query, the additional OpenAI, Anthropic, and Google GenAI sinks, and other language-library changes.
Independent context: The GitInject arXiv paper documents prompt-injection attacks in AI-powered CI/CD pipelines and explains why untrusted content plus elevated repository permissions create supply-chain risk. That paper is context for why the CodeQL query matters; it is not evidence that CodeQL catches every attack class.
It added js/system-prompt-injection, a JavaScript and TypeScript query that detects untrusted user-controlled values flowing into AI model system prompts.
