Academic researchers (arXiv preprint, May 2026) · May 2026
Largest academic study of CodeQL analyzing 3,993 CVEs from 1,622 repositories across 114 CodeQL versions. Finds CodeQL detected 171 CVEs total, with 83 detectable before fix. GitHub stores CodeQL databases for 200,000+ repos.
Why read: Provides the best available quantitative measure of SAST tool adoption in OSS (CodeQL at ~200K repos) and evidence on detection efficacy — essential for calibrating what 'adopting SAST' actually delivers.