GitHub has recently announced the general availability of GitHub code scanning, a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. With this news, people can now enable it on your public repository today.
This news followed up with GitHub news of welcoming Semmle, and since then the team has worked to bring the revolutionary code analysis capabilities of its CodeQL technology to GitHub users as a native capability. Earlier this year, at GitHub Satellite, the first beta of native integration — code scanning has been released. And now, post getting feedback from the industry developers they are making the code scanning generally available.
Code Scanning Helps In Preventing Security Issues In Code
According to the official blog post, code scanning has been designed for developers, where it runs only the actionable security rules by default so that one can stay focused on the task at hand. Code scanning integrates with GitHub Actions or the existing CI/CD environment to maximise flexibility for the team. Not only it scans code as it’s created but also surfaces actionable security reviews. Such a capability ensures vulnerabilities don’t make it to production level.
Powered CodeQL, code scanning is a powerful code analysis engine, with which one can use the 2,000+ CodeQL queries created by GitHub and the community, or can create custom queries to easily find and prevent new security concerns.
It is extensible and built on the open SARIF standard to include open source and commercial static application security testing solutions. One can also integrate third-party scanning engines to view results from all the security tools on a single interface.
Achievements So Far
GitHub has scanned over 12,000 repositories 1.4 million times and found more than 20,000 security issues. In fact, developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days.
GitHub had 132 community contributions to CodeQL’s open-sourced query set, where it has partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL.
Currently, code scanning is free for public repositories. However, for private repositories, code scanning is available to GitHub Enterprise through advanced security.