CodeQL now supports Rust

[coadaflorin]

Hello Rustaceans and Security Enthusiasts! 👋

As you may have seen in the recent GitHub announcement, CodeQL support for Rust is now available in public preview!

What This Means

• Your Rust files will now be included in CodeQL security scans
• Enhanced security posture for projects using Rust

We Want Your Feedback!

As we're still in the public preview phase, your experiences and insights are invaluable:

1. Have you tried the Rust CodeQL support yet? If so, what was your experience?
2. What types of vulnerabilities are you most concerned about in your Rust code?
3. Any false positives or missed vulnerabilities you've noticed?

How to Get Started

If you haven't tried it yet, you can enable CodeQL scanning for your Rust repositories by setting up code scanning.

Let's work together to make Rust code even safer! Your feedback will help shape the future of CodeQL support for Rust as it moves toward general availability.

[Marcono1234]

Might be good to link to the changelog post also in these issues / discussions where users had asked for Rust support in the past:

• Add support for Rust github/codeql#12017
• Rust plugin available github/codeql#8485
• Rust Support via `tree-sitter`'s parser github/codeql#10489
• Instructions for trying out experimental Rust support github/codeql#17781

I can do that if you want, but maybe you (or the other CodeQL maintainers) prefer to do this, to proudly announce what they have been working on.

[coadaflorin]

Thanks for bringing those up, @Marcono1234! I posted some comments on those discussions.

[kristof-mattei]

A fatal error occurred: Rust does not support the manual build mode. Please try using one of the following build modes instead: none.

when using

      - name: Initialize CodeQL
        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          languages: rust
          build-mode: manual
          queries: security-extended,security-and-quality

Which contradicts https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes

The CodeQL action supports three different build modes for compiled languages:

• none - the CodeQL database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for C/C++, C# and Java).
• autobuild - CodeQL detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for all compiled languages).
• manual - you define the build steps to use for the codebase in the workflow (supported for all compiled languages).

Emphasis mine.

[coadaflorin]

Hi @kristof-mattei thanks for raising this! I will update the documentation for CodeQL as Rust does not actually support a manual build mode.

[AryanSinghh07]

Just wanted to share some quick thoughts and feedback after trying out the new CodeQL support for Rust that GitHub recently released in public preview.

A Few Things I Noticed

• I ran into a couple of false positives, especially in places where I used unsafe carefully with proper guards.
• Some of my async/await logic and macro-heavy code didn't seem to be fully understood by the scanner — possibly a limitation of how macros are handled right now.

Suggestions

• Add queries that flag risky patterns like unchecked unwraps, or dangerous default settings in common crates
• Improve macro expansion so tools can see through libraries like serde or tokio more clearly
• Highlight lifetime/ownership mistakes that could lead to logic bugs (if possible — I know that’s a tough one!)

[kristof-mattei]

I am having a warning on all of my repos, looking like this:

Low Rust analysis quality

Scanning Rust code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results.

Example codeql file in affected repo (stock, as Rust doesn't support manual mode): https://github.com/kristof-mattei/docker-dns-rs/blob/4d437f2b58198c36ae9927408bbd91936562768f/.github/workflows/codeql.yml

Link to affected run: https://github.com/kristof-mattei/rust-seed/actions/runs/16090269755/job/45406360742

I don't see anything in the logs that could be the origin of that warning.

[filips123]

So, CodeQL currently cannot fully work for Windows/macOS-specific code and disabled-by-default Rust features? Are there any plans to support this in the future?

Regarding macro expansions, trying to expand src/components/runtime.rs:145:23 in VS Code produces the following file:

// Recursive expansion of cfg_if! macro
// =====================================

#[cfg(all(all(platform_windows,target_arch = "x86"),not(any())))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("win"),
        }
    }
}.x #[cfg(all(all(platform_windows,target_arch = "x86_64"),not(any(all(platform_windows,target_arch = "x86")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("win64"),
        }
    }
}.x #[cfg(all(all(platform_windows,target_arch = "aarch64"),not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("win64-aarch64"),
        }
    }
}.x #[cfg(all(all(platform_linux,target_arch = "x86"),not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64"),all(platform_windows,target_arch = "aarch64")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("linux"),
        }
    }
}.x #[cfg(all(all(platform_linux,target_arch = "x86_64"),not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64"),all(platform_windows,target_arch = "aarch64"),all(platform_linux,target_arch = "x86")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        ({
            #[doc(hidden)]
            #[allow(unused_mut,non_snake_case)]
            const CONCATP_NHPMWYD3NJA: &[__cf_osRcTFl4A::pmr::PArgument] = {
                let fmt = __cf_osRcTFl4A::pmr::FormattingFlags::NEW;
                &[__cf_osRcTFl4A::pmr::PConvWrapper(BASE_DOWNLOAD_URL).to_pargument_display(fmt),__cf_osRcTFl4A::pmr::PConvWrapper("linux64").to_pargument_display(fmt)]
            };
            {
                #[doc(hidden)]
                const ARR_LEN:usize = const_format::pmr::PArgument::calc_len(CONCATP_NHPMWYD3NJA);
                #[doc(hidden)]
                const CONCAT_ARR: &const_format::pmr::LenAndArray<[u8;
                ARR_LEN]>  =  &const_format::pmr::__priv_concatenate(CONCATP_NHPMWYD3NJA);
                #[doc(hidden)]
                #[allow(clippy::transmute_ptr_to_ptr)]
                const CONCAT_STR: &str = unsafe {
                    let slice = const_format::pmr::transmute::<&[u8;
                    ARR_LEN], &[u8;
                    CONCAT_ARR.len]>(&CONCAT_ARR.array);
                    {
                        let bytes: &'static[const_format::pmr::u8] = slice;
                        let string: &'static const_format::pmr::str = {
                            const_format::__hidden_utils::PtrToRef {
                                ptr:bytes as *const [const_format::pmr::u8]as *const str,
                            }.reff
                        };
                        string
                    }
                };
                CONCAT_STR
            }
        })
    }
}.x #[cfg(all(all(platform_linux,target_arch = "aarch64"),not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64"),all(platform_windows,target_arch = "aarch64"),all(platform_linux,target_arch = "x86"),all(platform_linux,target_arch = "x86_64")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("linux64-aarch64"),
        }
    }
}.x #[cfg(all(platform_macos,not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64"),all(platform_windows,target_arch = "aarch64"),all(platform_linux,target_arch = "x86"),all(platform_linux,target_arch = "x86_64"),all(platform_linux,target_arch = "aarch64")))))]
const_format::pmr::__AssertStr {
    x:{
        use const_format::__cf_osRcTFl4A;
        const_format::pmr::__concatcp_impl!{
            (BASE_DOWNLOAD_URL),("osx"),
        }
    }
}.x #[cfg(all(not(any(all(platform_windows,target_arch = "x86"),all(platform_windows,target_arch = "x86_64"),all(platform_windows,target_arch = "aarch64"),all(platform_linux,target_arch = "x86"),all(platform_linux,target_arch = "x86_64"),all(platform_linux,target_arch = "aarch64"),platform_macos))))]
{
    #[cold]
    #[track_caller]
    #[inline(never)]
    #[rustc_const_panic_str]
    #[rustc_do_not_const_check]
    const fn panic_cold_display<T:core::fmt::Display>(arg: &T) ->  !{
        core::panicking::panic_display(arg)
    }
    panic_cold_display(&UNSUPPORTED_PLATFORM_ERROR);
};

There are no errors, but there is still const_format::pmr::__concatcp_impl! in the expanded code, so it seems it wasn't fully expanded?

Similarly, expanding build.rs:26:29 creates the following output:

// Recursive expansion of cfg_aliases! macro
// ==========================================

macro_rules! __cfg_aliases_matcher__ {
    (platform_windows) => {
        cfg_aliases::cfg_aliases!(@parser target_os = "windows")
    };
    (platform_linux) => {
        cfg_aliases::cfg_aliases!(@parser target_os = "linux")
    };
    (platform_macos) => {
        cfg_aliases::cfg_aliases!(@parser target_os = "macos")
    };
    (platform_bsd) => {
        cfg_aliases::cfg_aliases!(@parser any(target_os = "dragonfly",target_os = "freebsd",target_os = "openbsd",target_os = "netbsd"))
    };
    ($e:ident) => {
        cfg_aliases::cfg_aliases!(@cfg_is_set$e)
    };
}
{
    std::io::_print(std::format_args_nl!("cargo:rustc-check-cfg=cfg({})",stringify!(platform_windows)));
};
if std::env::var(alloc::__export::must_use({
    alloc::fmt::format(alloc::__export::format_args!("CARGO_CFG_{}", &stringify!(target_os).to_uppercase().replace("-","_")))
})).unwrap_or("".to_owned()).split(",").find(|x|x== &"windows").is_some(){
    {
        std::io::_print(std::format_args_nl!("cargo:rustc-cfg={}",stringify!(platform_windows)));
    };
}{
    std::io::_print(std::format_args_nl!("cargo:rustc-check-cfg=cfg({})",stringify!(platform_linux)));
};
if std::env::var(alloc::__export::must_use({
    alloc::fmt::format(alloc::__export::format_args!("CARGO_CFG_{}", &stringify!(target_os).to_uppercase().replace("-","_")))
})).unwrap_or("".to_owned()).split(",").find(|x|x== &"linux").is_some(){
    {
        std::io::_print(std::format_args_nl!("cargo:rustc-cfg={}",stringify!(platform_linux)));
    };
}{
    std::io::_print(std::format_args_nl!("cargo:rustc-check-cfg=cfg({})",stringify!(platform_macos)));
};
if std::env::var(alloc::__export::must_use({
    alloc::fmt::format(alloc::__export::format_args!("CARGO_CFG_{}", &stringify!(target_os).to_uppercase().replace("-","_")))
})).unwrap_or("".to_owned()).split(",").find(|x|x== &"macos").is_some(){
    {
        std::io::_print(std::format_args_nl!("cargo:rustc-cfg={}",stringify!(platform_macos)));
    };
}{
    std::io::_print(std::format_args_nl!("cargo:rustc-check-cfg=cfg({})",stringify!(platform_bsd)));
};
if cfg_aliases::cfg_aliases!(@parser_clause any[][ = "dragonfly",target_os = "freebsd",target_os = "openbsd",target_os = "netbsd"]target_os);
{
    {
        std::io::_print(std::format_args_nl!("cargo:rustc-cfg={}",stringify!(platform_bsd)));
    };
}

Where there are unexpanded references to cfg_aliases::cfg_aliases!.

So, I guess this should be reported to Rust Analyzer?

[aibaars]

Yes reporting to Rust-analyzer is a good idea. Make sure to check it hasn't already been reported yet.

[aibaars]

So, CodeQL currently cannot fully work for Windows/macOS-specific code and disabled-by-default Rust features? Are there any plans to support this in the future?

It can work for Windows and macOS and Linux specific code, but not all at the same time. The easiest way to analyze windows specific things is to run CodeQL analysis on Windows.

[filips123]

It can work for Windows and macOS and Linux specific code, but not all at the same time. The easiest way to analyze windows specific things is to run CodeQL analysis on Windows.

This isn't possible with UI-based configuration without custom YAML workflows, right?

Yes reporting to Rust-analyzer is a good idea. Make sure to check it hasn't already been reported yet.

I couldn't find any similar issues, so I reported it in rust-lang/rust-analyzer#20309.

[aibaars]

This isn't possible with UI-based configuration without custom YAML workflows, right?

Yes that's right. More advanced configuration need a custom YAML workflow file.