GitHub Code Scanning Generally Available
Written by Kay Ewbank   
Wednesday, 30 September 2020

Github's code analysis technology based on CodeQL, which it acquired as part of its purchase of Semmie in 2019, is now out of beta and generally available.

The new natively integrated code scanning is based on the CodeQL technology. CodeQL is a tool many security research teams around the world use to perform semantic analysis of code, and was made open source by GitHub once Semmie was acquired.

githubdeklogo

The aim of the new facility is to help developers prevent security issues in code. The code scanning doesn't make linting suggestions, and the scanning runs only the actionable security rules by default to prevent developers being overwhelmed by suggestions.

The scanning integrates with GitHub Actions or with CI/CD environments. It scans code as it’s created and creates security reviews with suggested actions within pull requests to automate security as a part of your workflow. The aim is to make sure vulnerabilities never make it to production in the first place. 

The underlying CodeQL code analysis engine has more than 2,000 CodeQL queries created by GitHub and the community, and developers can also create custom queries.

The scanning is based on the open SARIF (Static Analysis Results Interchange Format) standard that is an interoperability standard for detecting software defects and vulnerabilities. The scanning is extensible so you can include open source and commercial static application security testing (SAST) solutions within the same GitHub-native experience. Developers can also integrate third-party scanning engines.

GitHub says that since introducing the beta in May, 12,000 repositories have been scanned 1.4 million times, and more than 20,000 security issues have been found and fixed, including remote code execution (RCE), SQL injection, and cross site scripting (XSS) vulnerabilities.

Code scanning is free for public repositories. Private repositories can be scanned using GitHub Enterprise through GitHub Advanced Security.

githubdeklogo 

More Information

GitHub code scanning

Related Articles

GitHub Strengthens Team Working

The Trap Snaps Shut - GitHub Codespaces

New From GitHub Universe

GitHub Launches Actions

Microsoft Buys GitHub - Get Ready For a Bigger Devil

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner

Java Version 22 Released
04/04/2024

JDK 22 is not a Long Term Support release, but is one of the regular releases that are scheduled to arrive every six months. Still, it has got a lot to show for itself.


+ Full Story
Rust Twice As Productive As C++
03/04/2024

Google director of engineering, Lars Bergstrom, gave a talk at the recent Rust Nation UK conference and claimed that Rust was twice as productive as C++. Given how good Google is at C++, this is quite [ ... ]


+ Full Story
More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info
Last Updated ( Wednesday, 30 September 2020 )