GitHub has made its code scanning service generally available. Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub code scanning now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases. The service also supports analysis using third-party tools.
GitHub code scanning is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. The service integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.
Developers can leverage the more than 2,000 queries created by GitHub and the community at large, or build custom queries to address new security concerns. GitHub code scanning was built on the SARIF standard and is extensible, so developers can include open source and commercial static application security testing solutions within the same GitHub-native experience. Third-party scanning engines can be integrated to view results from all of a developer’s security tools via a single interface. Multiple scan results can be exported through a single API.
GitHub code scanning is free for public repositories. For private repositories, the service is available for the fee-based GitHub Enterprise service through GitHub Advanced Security. Since the first beta of the service in May, GitHub said, GitHub code scanning has scanned 12,000 repositories 1.4 million times and found more than 20,000 security issues including remote code execution, SQL injection, and cross-site scripting vulnerabilities.