{"id":1376,"date":"2026-07-15T18:00:00","date_gmt":"2026-07-15T17:00:00","guid":{"rendered":"https:\/\/wade.one\/blog\/?p=1376"},"modified":"2026-07-15T18:00:00","modified_gmt":"2026-07-15T17:00:00","slug":"codeql-system-prompt-injection-query-is-a-useful-start","status":"publish","type":"post","link":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/","title":{"rendered":"CodeQL&#8217;s System Prompt Injection Query Is a Useful Start"},"content":{"rendered":"<p>Prompt injection is often discussed as if it lives entirely inside mysterious model behaviour. Some of it is much more ordinary than that: untrusted input flows into a privileged instruction, and the application gives the result too much authority. That is exactly the sort of path static analysis should help expose.<\/p>\n<p><a href=\"https:\/\/github.blog\/changelog\/2026-07-10-codeql-2-26-0-adds-kotlin-2-4-0-support-and-ai-prompt-injection-detection\/\">CodeQL 2.26.0<\/a> adds a JavaScript and TypeScript query for system prompt injection. It looks for user-controlled values reaching system prompts and expands support for sinks in OpenAI, Anthropic, and Google GenAI APIs. GitHub code scanning users on github.com receive the new version automatically.<\/p>\n<p>This will not solve prompt injection by itself. An application can still assemble a technically clean prompt and then hand the model a dangerous tool, trust retrieved content too much, or skip approval around a destructive action. But a warning that says &#8220;this request value reaches your system instruction&#8221; is concrete. It can sit beside SQL injection and unsafe deserialisation findings in the normal review flow instead of being left for an AI security workshop nobody has time to attend.<\/p>\n<p>I like this direction because it makes AI application security look more like application security. Trace the data, identify the trust boundary, reduce authority, and test the failure. The model is new; most of the engineering discipline is not.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CodeQL 2.26 can trace untrusted values into JavaScript and TypeScript system prompts, turning one AI security risk into something code review can see.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[26,13],"tags":[30,202,200,201],"class_list":["post-1376","post","type-post","status-publish","format-standard","hentry","category-ai","category-programming","tag-ai","tag-application-security","tag-codeql","tag-prompt-injection"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CodeQL&#039;s System Prompt Injection Query Is a Useful Start - wade.one<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CodeQL&#039;s System Prompt Injection Query Is a Useful Start - wade.one\" \/>\n<meta property=\"og:description\" content=\"CodeQL 2.26 can trace untrusted values into JavaScript and TypeScript system prompts, turning one AI security risk into something code review can see.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/\" \/>\n<meta property=\"og:site_name\" content=\"wade.one\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-15T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/Wade-Logo-cropped.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1518\" \/>\n\t<meta property=\"og:image:height\" content=\"1506\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@wadewomersley\" \/>\n<meta name=\"twitter:site\" content=\"@wadewomersley\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"CodeQL&#8217;s System Prompt Injection Query Is a Useful Start\",\"datePublished\":\"2026-07-15T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/\"},\"wordCount\":223,\"publisher\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/#\\\/schema\\\/person\\\/8b4739f8f8bb2cff5d792d4b8779fcc3\"},\"keywords\":[\"ai\",\"application-security\",\"codeql\",\"prompt-injection\"],\"articleSection\":[\"AI\",\"Programming\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/\",\"url\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/\",\"name\":\"CodeQL's System Prompt Injection Query Is a Useful Start - wade.one\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/#website\"},\"datePublished\":\"2026-07-15T17:00:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/2026\\\/07\\\/15\\\/codeql-system-prompt-injection-query-is-a-useful-start\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/wade.one\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CodeQL&#8217;s System Prompt Injection Query Is a Useful Start\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/wade.one\\\/blog\\\/\",\"name\":\"wade.one\",\"description\":\"wade womersley - york based software engineer\",\"publisher\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/#\\\/schema\\\/person\\\/8b4739f8f8bb2cff5d792d4b8779fcc3\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/wade.one\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/#\\\/schema\\\/person\\\/8b4739f8f8bb2cff5d792d4b8779fcc3\",\"name\":\"Wade Womersley\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/02\\\/200px.png\",\"url\":\"https:\\\/\\\/wade.one\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/02\\\/200px.png\",\"contentUrl\":\"https:\\\/\\\/wade.one\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/02\\\/200px.png\",\"width\":202,\"height\":200,\"caption\":\"Wade Womersley\"},\"logo\":{\"@id\":\"https:\\\/\\\/wade.one\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/02\\\/200px.png\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CodeQL's System Prompt Injection Query Is a Useful Start - wade.one","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/","og_locale":"en_GB","og_type":"article","og_title":"CodeQL's System Prompt Injection Query Is a Useful Start - wade.one","og_description":"CodeQL 2.26 can trace untrusted values into JavaScript and TypeScript system prompts, turning one AI security risk into something code review can see.","og_url":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/","og_site_name":"wade.one","article_published_time":"2026-07-15T17:00:00+00:00","og_image":[{"width":1518,"height":1506,"url":"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/Wade-Logo-cropped.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@wadewomersley","twitter_site":"@wadewomersley","twitter_misc":{"Estimated reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/#article","isPartOf":{"@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/"},"author":{"name":"","@id":""},"headline":"CodeQL&#8217;s System Prompt Injection Query Is a Useful Start","datePublished":"2026-07-15T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/"},"wordCount":223,"publisher":{"@id":"https:\/\/wade.one\/blog\/#\/schema\/person\/8b4739f8f8bb2cff5d792d4b8779fcc3"},"keywords":["ai","application-security","codeql","prompt-injection"],"articleSection":["AI","Programming"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/","url":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/","name":"CodeQL's System Prompt Injection Query Is a Useful Start - wade.one","isPartOf":{"@id":"https:\/\/wade.one\/blog\/#website"},"datePublished":"2026-07-15T17:00:00+00:00","breadcrumb":{"@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/wade.one\/blog\/2026\/07\/15\/codeql-system-prompt-injection-query-is-a-useful-start\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wade.one\/blog\/"},{"@type":"ListItem","position":2,"name":"CodeQL&#8217;s System Prompt Injection Query Is a Useful Start"}]},{"@type":"WebSite","@id":"https:\/\/wade.one\/blog\/#website","url":"https:\/\/wade.one\/blog\/","name":"wade.one","description":"wade womersley - york based software engineer","publisher":{"@id":"https:\/\/wade.one\/blog\/#\/schema\/person\/8b4739f8f8bb2cff5d792d4b8779fcc3"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wade.one\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/wade.one\/blog\/#\/schema\/person\/8b4739f8f8bb2cff5d792d4b8779fcc3","name":"Wade Womersley","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/200px.png","url":"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/200px.png","contentUrl":"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/200px.png","width":202,"height":200,"caption":"Wade Womersley"},"logo":{"@id":"https:\/\/wade.one\/blog\/wp-content\/uploads\/2015\/02\/200px.png"}}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1255,"url":"https:\/\/wade.one\/blog\/2026\/05\/05\/gemini-tooling-updates-show-agents-are-about-orchestration\/","url_meta":{"origin":1376,"position":0},"title":"Gemini Tooling Updates Show Agents Are About Orchestration","author":"","date":"May 5, 2026","format":false,"excerpt":"Gemini's recent tooling updates are another sign that agent development is becoming an orchestration problem, not just a prompt problem.","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/wade.one\/blog\/category\/ai\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1247,"url":"https:\/\/wade.one\/blog\/2026\/05\/01\/docker-mcp-shows-why-agent-tools-need-boring-infrastructure\/","url_meta":{"origin":1376,"position":1},"title":"Docker MCP Shows Why Agent Tools Need Boring Infrastructure","author":"","date":"May 1, 2026","format":false,"excerpt":"The more agents use real tools, the more they need boring infrastructure: isolation, versioning, profiles, credentials, and repeatable setup.","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/wade.one\/blog\/category\/ai\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1342,"url":"https:\/\/wade.one\/blog\/2026\/06\/09\/android-studio-agent-skills-are-repo-instructions-that-agents-might-actually-read\/","url_meta":{"origin":1376,"position":2},"title":"Android Studio Agent Skills Are Repo Instructions That Agents Might Actually Read","author":"Wade","date":"June 9, 2026","format":false,"excerpt":"Android Studio agent skills matter because coding agents need durable project knowledge, not repeated prompt folklore.","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/wade.one\/blog\/category\/ai\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1304,"url":"https:\/\/wade.one\/blog\/2026\/05\/16\/claude-code-routines-show-where-agent-automation-is-going\/","url_meta":{"origin":1376,"position":3},"title":"Claude Code Routines Show Where Agent Automation Is Going","author":"Wade","date":"May 16, 2026","format":false,"excerpt":"Claude Code's web routines point to a future where coding agents are triggered by events, not only by a developer sitting at a terminal.","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/wade.one\/blog\/category\/ai\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":521,"url":"https:\/\/wade.one\/blog\/2011\/03\/04\/using-ssl-in-restclient\/","url_meta":{"origin":1376,"position":4},"title":"Using SSL in RestClient","author":"Wade","date":"March 4, 2011","format":false,"excerpt":"UPDATE 14\/07\/2012: The author of the client has released version 2.5 a short while ago and also a video for using self-signed certificates in the client. RESTClient is a great little CLI and GUI tool for testing your REST API. I recently pushed a new API up in the office\u2026","rel":"","context":"In &quot;Programming&quot;","block_context":{"text":"Programming","link":"https:\/\/wade.one\/blog\/category\/programming\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1336,"url":"https:\/\/wade.one\/blog\/2026\/06\/04\/overtasked-coding-agents-need-lead-dev-boundaries\/","url_meta":{"origin":1376,"position":5},"title":"Overtasked Coding Agents Need Lead Dev Boundaries","author":"Wade","date":"June 4, 2026","format":false,"excerpt":"Coding agents need bounded tasks, tests, and review because out-of-scope actions are exactly the kind of thing a lead developer has to catch.","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/wade.one\/blog\/category\/ai\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/posts\/1376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/comments?post=1376"}],"version-history":[{"count":1,"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/posts\/1376\/revisions"}],"predecessor-version":[{"id":1385,"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/posts\/1376\/revisions\/1385"}],"wp:attachment":[{"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/media?parent=1376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/categories?post=1376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wade.one\/blog\/wp-json\/wp\/v2\/tags?post=1376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}