GitHub unveiled its new security features named Code Scanning. It is available for users on paid and free accounts. The new feature was created by GitHub to help coders prevent vulnerabilities from reaching the final users.
It can analyze every pull request, commit and merge, identifying the flawed code as soon as a coder writes it. Once it detects the vulnerabilities, Code Scanning will then prompt the developer to revise.
Code Scanning uses top tier CodeQL that GitHub integrated on the platform after acquiring Semmle, a code-analysis platform, in September 2019.
Rules to find flaws
CodeQL is short for ‘code query language’ and is a generic language used to write rules that help developers identify different versions of a similar security vulnerability across vast codebases.
To configure the Code Scanning feature, users will have to go into the Security tab of every repository where they want the feature enabled.
Once in the tab, the developers will prompt the CodeQL queries they want GitHub to follow in scanning their source code.
Github said that the security team had collected more than 2,000 predefined CodeQL queries that developers can turn on for their repositories to check for the most basic flaws.
Developers seem to like it
Since May, after it was announced at the GitHub Satellite conference, the scanning feature has been available to beta testers. Since then, it has been used more than 1.4 million times to perform scans.
The searches have been done across more than 12,000 repositories, identifying more than 20,000 vulnerabilities that include; Remote Code Execution, SQL injection, and cross-site scripting.
Developers have warmed up to the feature so far, and GitHub has seen 132 contributions from the community to the CodeQL open-sourced query.