Prompt injection is often discussed as if it lives entirely inside mysterious model behaviour. Some of it is much more ordinary than that: untrusted input flows into a privileged instruction, and the application gives the result too much authority. That is exactly the sort of path static analysis should help expose.
CodeQL 2.26.0 adds a JavaScript and TypeScript query for system prompt injection. It looks for user-controlled values reaching system prompts and expands support for sinks in OpenAI, Anthropic, and Google GenAI APIs. GitHub code scanning users on github.com receive the new version automatically.
This will not solve prompt injection by itself. An application can still assemble a technically clean prompt and then hand the model a dangerous tool, trust retrieved content too much, or skip approval around a destructive action. But a warning that says “this request value reaches your system instruction” is concrete. It can sit beside SQL injection and unsafe deserialisation findings in the normal review flow instead of being left for an AI security workshop nobody has time to attend.
I like this direction because it makes AI application security look more like application security. Trace the data, identify the trust boundary, reduce authority, and test the failure. The model is new; most of the engineering discipline is not.