CodeQL prompt injection QA checks became more concrete this week. On July 10, 2026, GitHub highlighted CodeQL 2.26.0, including a new JavaScript and TypeScript query named js/system-prompt-injection.

The practical point: CodeQL can now flag cases where untrusted user-provided values flow into an AI model’s system prompt. For teams building AI features, chat workflows, agent tools, or LLM-backed test helpers, this turns one important prompt-injection risk into something that can be scanned during code review.

What GitHub announced

  • New AI security query: CodeQL 2.26.0 adds js/system-prompt-injection for JavaScript and TypeScript projects.
  • Prompt-injection sinks expanded: GitHub says prompt-injection sinks now cover more OpenAI, Anthropic, and Google GenAI SDK APIs, including OpenAI Realtime session instructions and Google GenAI system instructions.
  • Code scanning rollout: GitHub says new CodeQL versions are automatically deployed for GitHub code scanning on github.com, with the functionality planned for a future GitHub Enterprise Server release.
  • Other security coverage: the release also adds Kotlin 2.4.0 support and improves analysis across C#, Go, Python, Swift, and GitHub Actions.

Why this matters for QA engineers

Prompt injection is no longer only a red-team exercise after an AI feature is built. If user input can reach a system prompt, model instruction, cached content field, or agent instruction layer, QA teams need evidence that the application blocks or isolates that path.

  • AI app reviews get earlier signal: QA and security reviewers can catch risky prompt construction before manual abuse testing starts.
  • Test scope becomes clearer: a CodeQL alert can point testers to the exact flow that needs negative tests, sanitization checks, or design review.
  • Agent workflows need guardrails: any AI agent that receives repository text, ticket content, chat messages, logs, or uploaded files should keep that untrusted content out of system-level instructions.
  • CI can enforce review gates: teams using GitHub code scanning can turn these alerts into pull-request evidence for AI feature changes.

A practical QA checklist

  • Confirm CodeQL scanning is enabled for JavaScript and TypeScript AI application repositories.
  • Review any js/system-prompt-injection alert with the feature owner before treating it as a simple false positive.
  • Add negative tests where user-controlled text includes instruction-like content such as role changes, tool-use requests, data exfiltration requests, or policy override language.
  • Check OpenAI, Anthropic, and Google GenAI integration code for places where user input is combined with system instructions or cached model context.
  • Require a passing CodeQL/code-scanning result before merging AI workflow changes that touch prompt assembly, agent instructions, or tool permissions.

Bottom line

GitHub’s CodeQL 2.26.0 update is useful because it brings prompt-injection risk into normal static-analysis and pull-request workflows. QA engineers should use it as an early warning system, then pair it with targeted adversarial tests and runtime checks before trusting AI features in production.

Sources