THE SHORT VERSION

A clean scan does not make a prompt safe; separate trusted instructions from user content, minimize tool permissions, and test the full data path.

CodeQL 2.26.0 adds a JavaScript and TypeScript query that detects when untrusted, user-controlled values flow into an AI model’s system prompt. The release also expands modeled prompt-injection sinks across several AI SDK APIs.

This is a useful shift from searching for suspicious strings to tracing data flow. The security question becomes: can content controlled by someone else reach the instruction channel that defines how the model should behave?

What the new query covers

The `js/system-prompt-injection` query targets untrusted values reaching a system prompt. GitHub also added sinks for APIs involving OpenAI Realtime instructions, Anthropic legacy completion prompts, Google GenAI cached content and system instructions, and other SDK surfaces.

CodeQL 2.26.0 is automatically deployed to GitHub.com code scanning users. GitHub Enterprise Server customers will receive it in a future release or can manually upgrade CodeQL on older versions.

What static analysis cannot decide for you

A tool can identify a data path, but it cannot fully determine the business consequence of a manipulated prompt. Impact depends on what tools the model can call, what data it can retrieve, whether actions require approval, and whether output reaches another trusted system.

Review each finding in context. A summarizer with no tools has a different risk profile from an agent that can send email, modify records, or execute deployment commands.

Build defense around the model

Keep trusted instructions separate from retrieved or user-provided text, label untrusted content, validate tool arguments, use least-privilege credentials, and require confirmation for consequential actions. Add adversarial test cases to CI so a fixed flow does not quietly reappear.

  • Trace the source of every value inserted into system instructions.
  • Limit tools and data to the current task.
  • Validate outputs before they become commands or database changes.
  • Log model actions without exposing secrets in the log itself.
Primary sources
Editorial note

PatchMemo independently selects and evaluates the topics it covers. We clearly label sponsorships and affiliate relationships.