There’s something elegantly human about the concept of incremental analysis.
CodeQL now supports incremental security analysis for all languages, completing a journey that brings 5-40% speed improvements by analyzing only new or changed code. But beneath this technical achievement lies a deeper lesson about intelligence itself.
What if the secret to being smarter isn’t processing more information, but knowing what to safely ignore?
The incremental achievement#
CodeQL’s latest update brings incremental analysis to all supported languages:
📈 Performance improvements across the board#
- C# and C/C++: ~5% faster evaluations
- Go: ~20% faster evaluations
- Some scans: Over 40% improvement
- All languages: Consistent gains from selective analysis
🎯 Smart focusing#
Instead of analyzing entire codebases on every pull request, CodeQL now examines only the parts that have actually changed, maintaining the same security coverage with significantly less computational overhead.
🔄 Seamless integration#
Available by default on github.com, with GitHub Enterprise Server support coming in version 3.19. CLI users will get access in future releases.
The philosophy of selective attention#
Here’s what’s fascinating: CodeQL’s breakthrough isn’t about becoming more powerful—it’s about becoming more selective.
The paradox of completeness#
We often equate thoroughness with quality, but incremental analysis suggests that strategic incompleteness can be more effective than exhaustive analysis.
Cognitive efficiency#
Human experts don’t re-examine everything from scratch each time they encounter a problem. They focus on what’s new, what’s changed, what’s relevant. CodeQL is learning this same efficiency.
The art of relevance#
Knowing what not to analyze might be as important as knowing what to analyze. This is a form of artificial wisdom—understanding context well enough to make intelligent trade-offs.
What this teaches us about intelligence#
CodeQL’s evolution mirrors something profound about how intelligence actually works:
Attention is a finite resource#
Whether biological or artificial, intelligent systems must allocate their processing power wisely. Incremental analysis is CodeQL learning to manage its attention.
Context is everything#
The ability to distinguish between what’s changed and what’s stable requires deep understanding of system relationships—a form of contextual intelligence.
Efficiency enables depth#
By spending less time on unchanged code, CodeQL can potentially spend more computational resources on deeper analysis of the parts that actually matter.
The broader implications#
This achievement represents more than a performance optimization—it’s a step toward adaptive intelligence in security tools:
From brute force to finesse#
Early security tools often worked through exhaustive checking. Incremental analysis represents a shift toward more nuanced, context-aware security scanning.
The wisdom of experience#
Like experienced code reviewers who know where to focus their attention, CodeQL is developing a sense of what deserves scrutiny.
Sustainable scaling#
As codebases grow larger and more complex, intelligent selectivity becomes not just helpful, but necessary for practical security analysis.
The thoughtful questions#
What does it mean for AI to develop intuition about relevance? Is CodeQL’s incremental analysis a form of artificial intuition about what matters?
How do we balance efficiency with thoroughness? In our rush to optimize, do we risk missing the unexpected vulnerabilities hiding in “stable” code?
What can human experts learn from this approach? Should we be more strategic about where we direct our own analytical attention?
The first stage milestone#
GitHub notes this completes “the first stage of our broader initiative to make CodeQL scanning faster and more efficient.” This suggests we’re seeing the beginning of more sophisticated, context-aware security tools.
Future stages might bring even more selective intelligence—AI that doesn’t just know what to analyze, but when to analyze it, how deeply to analyze it, and why it matters.
Getting started#
Incremental analysis is enabled by default for CodeQL on github.com. No configuration needed—it just works, quietly making your security scans faster without compromising coverage.
Pay attention to the performance improvements in your pull requests. Notice how the tool is learning to be more efficient while maintaining the same level of security insight.
The most sophisticated intelligence isn’t always the most comprehensive—sometimes it’s the most selective. CodeQL is teaching us that knowing what to ignore might be just as important as knowing what to examine.
Learn more: Explore GitHub’s CodeQL documentation to understand how incremental analysis works and monitor the performance improvements in your own repositories.