GitHub rolls out new Code Scanning security feature to all users

New Code Scanning feature will tell GitHub users when they've added known security flaws in their code
Written by Catalin Cimpanu, Contributor
Image: GitHub

Code-hosting website GitHub is rolling out today a new security feature named Code Scanning for all users, on both paid and free accounts.

GitHub says the new Code Scanning feature "helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it's created."

Once vulnerabilities are detected, Code Scanning works by prompting the developer to revise their code.

Under the hood, Code Scanning works on top of CodeQL, a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle in September 2019.

CodeQL stands for code query language and is a generic language that allows developers to write rules to detect different versions of the same security flaw across large codebases.

To configure Code Scanning, users must visit the "Security" tab of each of the repositories they want the feature to be enabled.

Image: GitHub

Here, developers will be prompted to enable the CodeQL queries they want GitHub to use to scan their source code.

To get users started on using Code Scanning, Gitub said its security team has put together more than 2,000 predefined CodeQL queries that users can enable for their repositories and automatically check for the most basic security flaws when submitting new code.

In addition, Code Scanning can also be extended via custom CodeQL templates written by repository owners or by plugging in third-party open-source or commercial static application security testing (SAST) solutions.

Code Scanning has been available to GitHub beta testers since May after the feature was initially announced at the GitHub Satellite conference.

Since then, GitHub says the feature has been used to perform more than 1.4 million scans on more than 12,000 repositories and has identified over 20,000 vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.

Developers also appear to have warmly received the new feature, and GitHub says it already received 132 community contributions to CodeQL's open-sourced query sets since the feature launched in the spring.

What's in a name? These DevOps tools come with strange backstories

Editorial standards