Github has recently added a new feature, simply called Code Scanning, that will tell developers both for free and paid accounts when they have added known security flaws in their code.
According to GitHub, the new feature:
“helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.”
Every time known vulnerabilities are detected, developers will be prompted by Code Scanning to revise their code.
Code Scanning works on top of CodeQL, a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle back in 2019. CodeQL, short for Code Query Language is a generic programming language that allows developers to create rules and detect different versions of security flaw across large codebases.
Here is the step by step process to enable Code Scanning on Github:
Step 1. On GitHub, navigate to the main page of the repository.
Step 2. Under your repository name, click Security.
Step 3. To the right of “Code scanning”, click Set up code scanning.
Step 4. Under “Get started with code scanning”, click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow.
Step 5. Here you can customize how Code Scanning scans your code by editing the workflow. More info here.
Step 6. Use the Start commit drop-down, and type a commit message.
Step 7. Choose whether you’d like to commit directly to the default branch, or create a new branch and start a pull request.
Step 8. Click Commit new file or Propose new file.
Note: If you don’t make edits on Step 5, Code Scanning will by default, analyze your code each time you push a change to the default branch or protected branches, or raise a pull request against the default branch or any protected branches.
You will then be prompted to enable the CodeQL queries they want GitHub to use to scan their source code.
And you’re done, Code Scanning now enabled.
According to GitHub, their security team has put together more than 2,000 predefined CodeQL queries that users can use for their repositories and automatically check for security flaws when submitting new code. The feature can also be extended via custom CodeQL templates written by repository owners or by plugging in third-party open-source or commercial static application security testing (SAST) solutions.
This new feature seems to have been well received by Github users, Code Scanning has already performed more than 1.4 million scans on more than 12,000 repositories and identified over 20,000 vulnerabilities, such as remote code execution (RCE), SQL injections, and cross-site scripting (XSS) vulnerabilities. GitHub also says they have received 132 community contributions to CodeQL’s open-sourced query sets since the feature launched in the spring.
Code Scanning has been available to beta testers since May and this feature is now available to both free and paid users.
Image Credits: Github
Get the latest industry news first.