GitHub has released a new feature that scans repositories on the site for security vulnerabilities, a service that is free for public repositories. The new feature has been in beta for several months and the company said it has already been used to scan more than 12,000 repositories 1.4 million times.
The code-scanning service, first announced by the company in May, is based on technology from Semmle, which GitHub acquired last year. The technology uses the analysis engine that Semmle developed based on the CodeQL object-oriented query language and it’s designed to find different variants of security flaws in code. CodeQL has thousands of queries built in, but developers or security teams can also write their own and contribute them to the project’s inventory. While some code-scanning tools are aimed mainly at security teams, GitHub’s service is meant primarily for development teams.
“Code scanning is designed for developers first. Instead of overwhelming you with linting suggestions, code scanning runs only the actionable security rules by default so that you can stay focused on the task at hand,” Justin Hutchings, a senior product manager for security and open source intelligence at GitHub, said.
“Code scanning integrates with GitHub Actions—or your existing CI/CD environment—to maximize flexibility for your team. It scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences you use everyday, automating security as a part of your workflow. This helps ensure vulnerabilities never make it to production in the first place.”
"This helps ensure vulnerabilities never make it to production in the first place.”
There are any number of commercial scanners on the market, but for developers without extensive security experience they may not be quite as useful. GitHub’s service surfaces vulnerabilities directly in pull requests and can find every instance of a specific flaw in a large codebase. And because the service is based on the open OASIS Static Analysis Results Interchange Format (SARIF) standard, enterprises can integrate other code-scanning engines into the workflow.
The code-scanning service is free for any public repository, and for enterprises it’s available as part of GitHub’s broader Advanced Security offering. That offering also includes the company’s new secret scanning feature, which scans code for potentially sensitive data, such as credentials. If any valid GitHub secrets are found, the service will revoke the credentials immediately and notify the maintainers of the repository.