GitHub Code Scanning Now Detects Additional Security Flaws
Github, the well-known code hosting platform, has recently released new analysis features that have the role to automate the identification of new security flaws before they reach production. These features are designed on machine learning-based code scanning.
New Scanning Analysis Features Implemented by GitHub: More Details
The security flaws that this new experimental code analysis will identify will appear as alerts in the tab called ‘Security’ in the enrolled repositories section, alerts that will be labeled as “Experimental”. You can see a display of this below:
After GitHub bought code-analysis platform Semmle in September 2019, the CodeQL code analysis engine, which drives GitHub’s code scanning, was added to the platform’s capabilities.
In May 2020, GitHub launched the first code scanning beta at GitHub Satellite, and four months later, in September 2020, it became generally available.
During the beta testing phase, the code scanning function scanned over 12,000 repositories 1.4 million times and discovered over 20,000 security weaknesses, including RCE, SQL injection, and cross-site scripting (XSS) flaws.
For public repositories, GitHub Code scanning is free of charge, and for GitHub Enterprise private repositories, it comes in the form of a GitHub Advanced Security feature.
GitHub code scanning is powered by the CodeQL analysis engine. To identify potential security vulnerabilities, you can enable CodeQL to run queries against your codebase. These open source queries are written by members of the community and GitHub security experts, and each query is carefully crafted to recognize as many variants of a particular vulnerability type as possible and provide broad Common Weakness Enumeration (CWE) coverage.