itb-nz logo
Story image

GitHub's code vulnerability scanning tool now generally available

16 Oct 2020

GitHub has recently rolled out code scanning to help developers detect and prevent vulnerabilities from popping up in their open source and enterprise code.

Code scanning, which was released from beta to general availability in early October, aims to automate security directly into the developer workflow, furthering 'security by design' approach to applications and coding.

GitHub adds that more than half of breaches are caused by vulnerabilities in application code - and many of these vulnerabilities are recurring patterns.

Since GitHub introduced code scanning capabilities in May, users have scanned more than 12,000 repositories upwards of 1.4 million times. These scans uncovered more than 20,000 security issues, many of which related to RCE and XSS issues. 
In the last 30 days, users fixed 72% of reported security errors that were identified in their pull requests.

CodeQL is a code analysis engine that contains more than 2000 queries created by users and GitHub itself. CodeQL is also what powers the code scanning tool.

The company also states that it has received 132 community contributions towards CodeQL’s open sourced query set. 

According to GitHub, code scanning integrates with GitHub Actions or CI/CD to improve flexibility.

“It scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences you use every day, automating security as a part of your workflow. This helps ensure vulnerabilities never make it to production in the first place,” the company states.

The company also states that it has partnered with more than 12 open source and commercial security vendors to allow developers to run CodeQL and solutions for SAST, container scanning, and infrastructure as code validation side-by-side in GitHub’s native code scanning experience.

“Built on the open SARIF standard, code scanning is extensible so you can include open source and commercial static application security testing (SAST) solutions within the same GitHub-native experience you love. You can integrate third-party scanning engines to view results from all your security tools in a single interface and also export multiple scan results through a single API.”

“For those interested in helping to secure the open source ecosystem, we also invite you to contribute to the growing list of CodeQL queries and become part of our growing security community.”

The company will release more information about extensibility capabilities and partner ecosystem soon.

Public repositories can use GitHub’s code scanner for free.  Private repositories can use GitHub’s code scanner through the GitHub Enterprise through Advanced Security.