With only a few clicks, developers can configure code scanning for a repository using the new default setup introduced by GitHub.

Although GitHub’s code scanning is powered by the CodeQL code analysis engine, which supports a wide range of languages and compilers, the new option is only available for Python, JavaScript, and Ruby projects.

According to product marketing manager Walker Chabbott, GitHub is planning to add more language support over the next six months. Users can configure code scanning by navigating to ‘Code security and analysis’ in their repository settings, selecting the ‘Set up’ drop-down box and clicking on the new ‘Default’ option.

GitHub code scanning

“When you click on ‘Default,’ you’ll automatically see a tailored configuration summary based on the contents of the repository,” Chabbott said, adding that this includes “the languages detected in the repository, the query packs that will be used, and the events that will trigger scans.”

Options will be customizable in the future, Chabbott noted. Code scanning will start checking for vulnerabilities in the repository as soon as you click ‘Enable CodeQL’, fixing any discovered bugs and producing more secure software quickly.

CodeQL

The CodeQL code-analysis engine was incorporated into GitHub’s platform after the organization acquired Semmle’s code-analysis platform in September 2019.

Its general availability was announced in September 2020, four months after the initial code scanning beta in GitHub Satellite. More than 12,000 repositories were scanned more than 1.4 million times during beta testing to identify more than 20,000 security weaknesses, including RCE, SQL injection and XSS vulnerabilities.

In addition to being accessible as a GitHub Advanced Security tool for GitHub Enterprise private repositories, code scanning is free for all public repositories. In related news, secret scanning functionality (such as exposed auth tokens and credentials) was made available to all public projects by GitHub last month.