GitHub CodeQL Gets Major Speed Boost for Pull Request Security Scans
Luisa Crawford Mar 24, 2026 14:38
GitHub's CodeQL incremental analysis now runs up to 20% faster on pull requests across five major programming languages, with larger repos seeing biggest gains.
GitHub has rolled out significant performance improvements to CodeQL, its open-source static analysis engine, making security scans on pull requests substantially faster for developers working in C#, Java, JavaScript/TypeScript, Python, and Ruby.
The update, announced March 24, 2026, builds on incremental analysis capabilities GitHub introduced last year. Rather than scanning entire codebases with each pull request, CodeQL now generates a separate database for new or changed code and combines it with a cached database of the existing codebase.
GitHub tested the improvements across more than 100,000 repositories, grouping them by typical scan duration. The results? Larger, more complex repositories—those taking over seven minutes for non-incremental scans—saw the most dramatic improvements. Repositories in the three-to-seven minute range also benefited meaningfully, while smaller projects under three minutes showed modest gains.
The timing matters for development teams. Slow security scans create friction in pull request workflows, and developers sometimes skip them entirely when deadlines loom. Faster scans mean security checks actually get run.
What's Actually Changing
The incremental analysis is enabled by default for projects using the build mode none extraction mechanism in both default and advanced setup configurations on github.com. If you're running the CodeQL CLI locally, you'll need to wait—GitHub says support for incremental scanning in the CLI is coming later.
One catch: the speed improvements only apply to repositories using GitHub's default CodeQL query suite. Custom query configurations won't see the same benefits yet.
Part of a Bigger Push
This update follows a busy stretch for CodeQL development. Just last week, GitHub announced expanded application security coverage using AI-powered detections alongside CodeQL. And on March 18, CodeQL version 2.24.3 shipped with Java 26 support plus updated taint tracking and framework coverage.
GitHub has also been pairing CodeQL with Copilot to offer automated fix suggestions—essentially letting AI propose patches for the vulnerabilities CodeQL finds. For development teams juggling security requirements with shipping deadlines, faster scans combined with AI-assisted remediation could meaningfully change the economics of secure coding.
The incremental analysis improvements are live now for eligible repositories on github.com.
Image source: Shutterstock- github
- codeql
- devsecops
- code security
- developer tools
