CodeQL scanning Rust and C/C++ without builds is now generally available

We’ve added support for Rust and scanning C/C++ projects without builds in CodeQL, the engine powering GitHub code scanning. Both of these initiatives have ended their public preview and are now generally available.

Rust

Rust joins the list of generally available languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, Go, GitHub Actions, and Swift) for CodeQL. Developers working on Rust libraries and apps can now benefit from our best-in-class code security analysis. We now identify issues for all OWASP Top 10 categories, except A06:2021-Vulnerable and Outdated Components where we rely on Dependabot to find and fix vulnerable components. A complete list of the queries available for Rust, is available in the CodeQL documentation.

Code scanning for Rust repositories is supported for both default setup and advanced setup, and alerts will benefit from fix recommendations generated by Copilot Autofix.

C/C++

The ability for CodeQL to scan C/C++ projects without building the code is also now generally available. During the public preview period, we enabled over 10,000 repositories with a success rate of over 70% and no manual intervention.
The changes introduced during the public preview will remain in effect going forward: default setup will continue to use build mode none for all newly configured repositories.

This transition to a new way of scanning C/C++ has enabled customers to significantly improve the speed of adoption. One of our customers has been able to successfully enable and scan over 1,400 repositories with CodeQL in less than 48 hours. A similar effort would have taken significantly longer before this change.

Support for Rust and scanning C/C++ without builds is now available on github.com, CodeQL CLI 2.23.3, and on GitHub Enterprise Server starting with version 3.20.