GitHub Code Scanning is now generally available for users to evaluate their codes for security flaws. The idea behind this initiative is to eliminate vulnerabilities before the code is in production. By enabling GitHub Code Scanning, every git push
is scanned for potential security loopholes. The results are displayed directly in pull requests, making the users aware of the imperfection in code.
The open-source–GitHub Code Scanning solution–is powered by CodeQL, which consists of 2,000+ default queries to scan the code. GitHub has doubled down on security enhancements since it acquired Semmle on September 19, 2019. Semmle allowed developers to write queries to search for vulnerabilities.
Now, with Code Scanning, developers can fortify security threats effectively. However, it does not guarantee a 100% secure code since security flaws can vary based on the workflows. Nevertheless, one can eliminate common vulnerabilities in the code or use customized queries to determine security issues.
- D-Wave Launches 5,000+ Qubit Quantum Computing Platform
- Top AI Conferences That You Should Look Ahead In 2020
- With GitHub CLI, You Can Now Use GitHub In Your Terminal
Since the beta release in May, GitHub Code Scanning developers have scanned 1.4 million times on 12,000 repositories. More than 20,000 security issues such as SQL injection, cross site scripting (XSS), and remote code execution (RCE) vulnerabilities were identified. Of the total flaws, 72% of them were fixed before the pull requests were merged. Such efficiency is way ahead than the industry standards, where it takes more than 30 days to fix at most 30 percent of all the flaws.
“We chose Advanced Security for its out-of-the-box functionality and the custom functionality that we can build off of. Instead of it taking a full day to find and fix one security issue, we were able to find and fix three issues in the same amount of time,” said Charlotte Townsley, Director of Security Engineering of Auth0.
GitHub Code Scanning is open-source and can be used for free with public repositories, but is only available to GitHub Enterprise to scan private repositories. To enable it in public repositories, you can visit here.
Check the announcement here.