CodeQL prompt injection QA checks became more concrete this week. On July 10, 2026, GitHub highlighted CodeQL 2.26.0, including a new JavaScript and TypeScript query named js/system-prompt-injection.
The practical point: CodeQL can now flag cases where untrusted user-provided values flow into an AI model’s system prompt. For teams building AI features, chat workflows, agent tools, or LLM-backed test helpers, this turns one important prompt-injection risk into something that can be scanned during code review.
What GitHub announced
- New AI security query: CodeQL 2.26.0 adds
js/system-prompt-injectionfor JavaScript and TypeScript projects. - Prompt-injection sinks expanded: GitHub says prompt-injection sinks now cover more OpenAI, Anthropic, and Google GenAI SDK APIs, including OpenAI Realtime session instructions and Google GenAI system instructions.
- Code scanning rollout: GitHub says new CodeQL versions are automatically deployed for GitHub code scanning on github.com, with the functionality planned for a future GitHub Enterprise Server release.
- Other security coverage: the release also adds Kotlin 2.4.0 support and improves analysis across C#, Go, Python, Swift, and GitHub Actions.
Why this matters for QA engineers
Prompt injection is no longer only a red-team exercise after an AI feature is built. If user input can reach a system prompt, model instruction, cached content field, or agent instruction layer, QA teams need evidence that the application blocks or isolates that path.
- AI app reviews get earlier signal: QA and security reviewers can catch risky prompt construction before manual abuse testing starts.
- Test scope becomes clearer: a CodeQL alert can point testers to the exact flow that needs negative tests, sanitization checks, or design review.
- Agent workflows need guardrails: any AI agent that receives repository text, ticket content, chat messages, logs, or uploaded files should keep that untrusted content out of system-level instructions.
- CI can enforce review gates: teams using GitHub code scanning can turn these alerts into pull-request evidence for AI feature changes.
A practical QA checklist
- Confirm CodeQL scanning is enabled for JavaScript and TypeScript AI application repositories.
- Review any
js/system-prompt-injectionalert with the feature owner before treating it as a simple false positive. - Add negative tests where user-controlled text includes instruction-like content such as role changes, tool-use requests, data exfiltration requests, or policy override language.
- Check OpenAI, Anthropic, and Google GenAI integration code for places where user input is combined with system instructions or cached model context.
- Require a passing CodeQL/code-scanning result before merging AI workflow changes that touch prompt assembly, agent instructions, or tool permissions.
Bottom line
GitHub’s CodeQL 2.26.0 update is useful because it brings prompt-injection risk into normal static-analysis and pull-request workflows. QA engineers should use it as an early warning system, then pair it with targeted adversarial tests and runtime checks before trusting AI features in production.
