The Github code scanning beta is now available. Currently, JavaScript and TypeScript code can automatically be scanned for four known vulnerabilities — a number that promises to increase as time goes on.
The four vulnerabilities are cross-site scripting (XSS), path, NoSQL, and SQL injection. According to GitHub, these are the threats most often responsible for CVE records of JavaScript and TypeScript code.
The tool helps detect vulnerabilities in the development process by, among other things, issuing alerts in the ‘Security’ and pull requests tab of repositories. The beta release features machine learning functionality. According to GitHub, machine learning initially results in more false positives, becoming more accurate as the tool is used.
Semmle and availability
The tool is not entirely new. Instead, the release was built on code analysis technology from Semmle, acquired by GitHub in 2019. The GitHub code scanning beta is free for public repositories. The tool is also available as a GitHub Advanced Security feature for GitHub Enterprise private repositories.