Luisa Crawford
Mar 24, 2026 14:38
GitHub’s CodeQL incremental evaluation now runs as much as 20% sooner on pull requests throughout 5 main programming languages, with bigger repos seeing greatest good points.
GitHub has rolled out important efficiency enhancements to CodeQL, its open-source static evaluation engine, making safety scans on pull requests considerably sooner for builders working in C#, Java, JavaScript/TypeScript, Python, and Ruby.
The replace, introduced March 24, 2026, builds on incremental evaluation capabilities GitHub launched final 12 months. Moderately than scanning total codebases with every pull request, CodeQL now generates a separate database for brand spanking new or modified code and combines it with a cached database of the prevailing codebase.
GitHub examined the enhancements throughout greater than 100,000 repositories, grouping them by typical scan length. The outcomes? Bigger, extra complicated repositories—these taking up seven minutes for non-incremental scans—noticed essentially the most dramatic enhancements. Repositories within the three-to-seven minute vary additionally benefited meaningfully, whereas smaller initiatives beneath three minutes confirmed modest good points.
The timing issues for growth groups. Gradual safety scans create friction in pull request workflows, and builders generally skip them solely when deadlines loom. Quicker scans imply safety checks truly get run.
What’s Really Altering
The incremental evaluation is enabled by default for initiatives utilizing the construct mode none extraction mechanism in each default and superior setup configurations on github.com. Should you’re operating the CodeQL CLI regionally, you may want to attend—GitHub says assist for incremental scanning within the CLI is coming later.
One catch: the velocity enhancements solely apply to repositories utilizing GitHub’s default CodeQL question suite. Customized question configurations will not see the identical advantages but.
A part of a Larger Push
This replace follows a busy stretch for CodeQL growth. Simply final week, GitHub introduced expanded utility safety protection utilizing AI-powered detections alongside CodeQL. And on March 18, CodeQL model 2.24.3 shipped with Java 26 assist plus up to date taint monitoring and framework protection.
GitHub has additionally been pairing CodeQL with Copilot to supply automated repair recommendations—basically letting AI suggest patches for the vulnerabilities CodeQL finds. For growth groups juggling safety necessities with delivery deadlines, sooner scans mixed with AI-assisted remediation may meaningfully change the economics of safe coding.
The incremental evaluation enhancements are reside now for eligible repositories on github.com.
Picture supply: Shutterstock
