GitHub CodeQL gets declarative sanitizers and validators — no QL code required

GitHub expanded the models-as-data approach in CodeQL version 2.25.2 with a new capability that enables defining sanitizers and validators through YAML, without the need to write queries in the QL language.

What are sanitizers and validators?

Sanitizers are functions that clean input data of potentially dangerous content — for example, stripping HTML tags before output. Validators are functions that return a boolean result and signal whether data is safe for further processing. In CodeQL terminology, sanitizers are modeled as barriers (interruptions to the flow of tainted data), and validators as barrier guards (conditional interruptions). Until now, teams had to write their own QL queries for CodeQL to recognize their internal security functions. The new extensible predicates barrierModel and barrierGuardModel can now be populated through a YAML model pack.

Supported languages and practical impact

The feature covers eight programming languages: C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, and Rust. For each language, a team can define their own inputs, outputs, and conditions without deep knowledge of QL. GitHub describes this shift as a democratization of static security analysis. Organizations that have their own helper functions for escaping SQL queries, sanitizing HTML, or validating JWT tokens can now add these patterns to the standard CodeQL scanner through a pull request in their model pack repository.

Who should try this?

This is expected to benefit most security teams working in larger monorepos with internal security libraries, as well as open-source maintainers who want coverage of their utility functions. The feature is available with CodeQL 2.25.2 from April 2026. For small teams already using GitHub Advanced Security, this is a low-risk way to expand coverage without engaging a QL specialist. A typical use case is an organization that has written its own function for escaping user inputs before SQL queries. Without these extensions, CodeQL would still report false positive SQL injection warnings even though the data is actually safe. By adding a YAML entry to the model pack, these false positives are eliminated and analysis remains consistent across pull requests. Documentation and examples of YAML extensions are available in the official CodeQL repository, and GitHub announces further expansion through quarterly updates.