Code Scanning function for identification of vulnerabilities on GitHub is now available to everyone
GitHub developers announced the launch of a new Code Scanning function that allows scanning code for vulnerabilities.
Previously, the new product worked in test mode (since May 2020), but now it has become available to all users, both paid and free.
“The new feature helps preventing products from vulnerabilities by analyzing every pull request, commit and merge, recognizing vulnerable code as soon as it is created”, – says ZDNet with a link to the GitHub developers.
If vulnerabilities are found, the scanner will offer the developer to revise his code.
Code Scanning runs on top of CodeQL, a technology that GitHub has integrated into its platform since it acquired the Semmle analytics platform in September 2019. In essence, this will allow developers to create rules for detecting different versions of the same bug in large arrays of code.
Reference:
CodeQL stands for code query language and is a generic language that allows developers to write rules to detect different versions of the same security flaw across large codebases.
GitHub has already created 2,000 predefined CodeQL queries that users can use in their repositories and automatically check for the most basic vulnerabilities in new codes.
“In addition, the scanner can be extended with custom CodeQL templates written by repository owners, or by connecting third-party open source solutions or commercial SAST products”, – report GitHub developers.
You can enable the new feature in the Security tab.
According to GitHub, the new feature has already been used for more than 1.4 million scans of 12,000 repositories and helped to identify over 20,000 vulnerabilities, including remote code execution (RCE) vulnerabilities, SQL injection and cross-site scripting (XSS).
The developers also seem to have received the new feature well, and GitHub reports that since spring, since the launch of this feature, they have already received over 130 different community contributions to the open source CodeQL querysets.
Let me remind you that we recently talked about the fact that Comodo will open endpoint detection and response (EDR) product source code.