A system prompt often looks like configuration, so teams may treat it as harmless text. It becomes a security boundary when user-controlled content can reach it and quietly change how an AI feature behaves.

Quick answer

CodeQL 2.26.0 adds a JavaScript and TypeScript query that follows untrusted values into system-prompt sinks. Enable code scanning, review every result as a data-flow problem, and keep runtime defenses because static analysis cannot understand every prompt-building path.

const instructions = req.body.instructions; // untrusted

// Risky: user input becomes part of the system authority.
const response = await client.responses.create({
  model: 'your-model',
  instructions: `Follow policy. Extra rules: ${instructions}`,
  input: req.body.message,
});

what changed

The new js/system-prompt-injection query looks for user-provided values that flow into a model system prompt. CodeQL 2.26.0 also expands prompt sinks for OpenAI, Anthropic, and Google GenAI SDKs, including realtime instructions and cached content.

This is a current platform change, so confirm availability for your plan, organization, and installed client before changing a production workflow. Preview features can also change faster than generally available controls.

who should use it

Teams building chatbots, support assistants, document agents, and tool-using workflows should care most. A finding does not prove an exploit, but it identifies a place where lower-trust text may receive higher authority than intended.

The practical question is whether the feature removes a real bottleneck or security gap in your workflow. A new control is not valuable merely because it exists; it needs an owner, a narrow purpose, and an observable result.

a safe implementation

  1. Update the CodeQL analysis version or use GitHub code scanning.
  2. Trace the source of each flagged value.
  3. Keep user data in user-content fields instead of system instructions.
  4. Add allowlists and runtime tests for any dynamic policy input.

Make the first rollout small enough to reverse. Record the previous behavior, the setting or command that changed it, and the person responsible for deciding whether the experiment expands.

the mistake to avoid

Do not “fix” the alert by concatenating through a helper function or renaming the variable. The trust boundary remains. Also do not assume a delimiter alone makes hostile text safe.

Convenience features still operate inside your existing trust model. Repository permissions, protected environments, review rules, test accounts, and audit logs remain important even when the new workflow removes manual steps.

how to verify it

Add a test payload that asks the model to ignore its policy, then confirm the input remains ordinary user content and cannot replace system instructions. Re-run code scanning and review the complete path, including wrappers around the SDK.

Keep the verification evidence in the pull request or rollout ticket. That gives reviewers something concrete to evaluate and gives the next person a known baseline when the platform changes again.

rollout checklist

  • Confirm the feature and client version are available.
  • Test with non-production data and minimum permissions.
  • Capture expected success and failure behavior.
  • Document rollback and ownership.
  • Recheck the official announcement before a wide rollout.

official reference

The announcement is the source of truth for availability and product behavior. This article focuses on the implementation decisions teams should make around it.