GitHub CodeQL adds Rust sanitizers and validators to models-as-data

GitHub pushed CodeQL deeper into Rust security analysis on April 21, adding support for custom sanitizers and validators in models-as-data alongside C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, and Ruby. For Rust teams using GitHub code scanning, the practical shift is simple but important: application-specific cleaning and validation logic can now be encoded directly into data extensions instead of waiting for a language pack or query update to catch up.

That matters because many of the most useful security findings depend on the scanner understanding when untrusted input has been neutralized, normalized, or otherwise made safe before it reaches a sink. In large Rust codebases with wrapper crates, internal helper functions, and custom request pipelines, generic default models can miss the real flow of data. By letting teams describe their own sanitizers and validators, GitHub gave security engineers a way to feed local knowledge into the analysis itself, which should make alerts more accurate and easier to prioritize.

GitHub’s own CodeQL documentation says the system treats code like data and uses a CodeQL database to represent a codebase. Its Rust docs add that CodeQL ships with a Rust library of classes, modules, and abstractions for analysis. GitHub Docs also say CodeQL model packs are in public preview, and that model packs are supported for C/C++, C#, Java/Kotlin, Python, Ruby, and Rust analysis. In CodeQL packs, the data extensions from a specified model pack are automatically added to code scanning analysis, which makes the new sanitizer and validator support immediately useful for teams already maintaining their own security models.

The Rust support story has been moving quickly. GitHub launched CodeQL for Rust in public preview on June 30, 2025, then made it generally available on October 14, 2025. CodeQL 2.23.0, released in September 2025, added a new Rust security query and a faster Rust extractor. CodeQL 2.24.3 followed in March 2026 with neutral models for Rust, and GitHub removed a Rust database-quality metric for macro resolution because it had been causing false alarms. Taken together, the April 21 update shows GitHub widening Rust support in two directions at once: broader built-in coverage and finer-grained organization-specific modeling. That is the kind of security tooling change that makes Rust scanning feel less like a blunt ruleset and more like part of the codebase itself.