GitHub is getting a new feature that will inform the platform’s users about security flaws in their code. The feature is called Code Scanning, and it is available for both free and paid user accounts.
The feature was first announced during the GitHub Satellite conference. It has been available to beta testers since May. Since then, more than 1.4 million scans have been performed on over 12,000 repositories. As a result, more than 20,000 vulnerabilities have been identified. Discovered security flaws include remote code execution, SQL injection, and cross-site scripting issues.
What is the purpose of Code Scanning?
Code Scanning prevents vulnerabilities from reaching production by analyzing every pull request, commit, and merge, GitHub says. By doing this, the feature can recognize harmful code as soon as it is created. If any vulnerabilities are detected, the developer will be prompted to revise their code.
The feature was built on top of CodeQL, which was integrated into GitHub after they acquired the code-analysis platform Semme last year. CodeQL is an “industry-leading semantic code analysis engine,” free for research and open-source projects. CodeQL stans for code query language, and it allows developers to create rules to detect various versions of the same flaw across large codebases.
How can GitHub users configure Code Scanning? They need to go the Security tab of each repository they want to have the feature enabled. There, CodeQL queries should be enabled so that GitHub can scan their source code. GitHub has created more than 2,000 predefined queries for users to check their new code for vulnerabilities automatically.
Users can also extend Code Scanning via custom CodeQL templates. These are written by repository owners. Another option is to plug in third-party open-source or commercial static application security testing solutions (SAST).
CodeQL has already received 132 community contributions to its query sets since its initial release in May.
In June, security researchers discovered malware in GitHub repositories. Called Octopus Scanner, the malware was targeting the Apache NetBeans development environment.