Developers can now scan GitHub code for the “default setup” repository. This would help in spotting any security issues even before they escalate. According to GitHub, developers would be able to configure the repository automatically with just a little bit of effort.
More information
CodeQL engine powers GitHub’s code scanning feature. It supports a wide range of compilers. However, presently it is available for Ruby, JavaScript, and Python only. Walker Chabbott of GitHub said it should change soon. The company is planning to expand its support to other languages by the summer.
How to scan?
People who are looking to test the feature need to open their repository’s settings, go to “Code security and analysis”, click “Set up” in the drop-down menu, and then find the “Default” option. Once you click on “Default”, a tailored configuration summary based on the repository’s contents would automatically appear.
As long as the “Enable CodeQL” is turned on, the feature would look for flaws in the repository automatically. BleepingComputer, the CodeQL code analysis engine, was added to the GitHub platform in September 2019. GitHub acquired BleepingComputer.
Beta test
It was beta tested for a year before it was made available to the general public in September 2020. During the beta stage, the software scanned over 12,000 repositories, 1.4 million times, and got more than 20,000 security vulnerabilities. A few of these were of high severity that includes SQL injection, remote code execution (RCE), and cross-site scripting (XSS).
Company speaks
Chabbott wrote in the blog post, “This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable.”
People can scan the code for free. Enterprise users could be benefited from the same through the GitHub Advanced Security for GitHub Enterprise.
