Abstract: Railway Web applications face high-risk security threats such as Structured Query Language (SQL) injection and file uploading. Traditional security detection tools have high false alarm rates, insufficient coverage of business logic vulnerabilities, and low efficiency in manual auditing due to dynamic compliance requirements. This paper studied the source code security detection technology for railway Web applications based on CodeQL, which covered key technologies such as baseline checks for traditional vulnerabilities, precise modeling of logical vulnerabilities, and code conversion for compliance requirements. It also proposed a method for integrating CodeQL into the entire lifecycle of railway Web applications, aimed to implement a synergistic improvement in security capabilities and development efficiency, and provide effective reference for the digital transformation of railway systems.