How to Scale End-to-End Observability in AWS Environments

GitHub launches code scanning to find vulnerabilities

Oct. 5, 2020, 1:56 p.m.

TL;DR

GitHub is officially releasing a new code scanning tool aimed at helping developers find bugs in their code before it is deployed to production.

Vulnerability Inline (Image courtesy: https://github.com/features/security)

Key Facts

1
Code scanning is a feature you use in a GitHub repository to review the software and identify security flaws and errors in code.
2
Developers can use code scanning to find, triage, and prioritize fixes for existing problems in their code.
3
Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.
4
To extend this feature and enable monitoring results from code scanning across repositories or organizations, developers can use the code scanning API.
5
You can use CodeQL, a semantic code analysis engine with code scanning. CodeQL treats code as data. According to Github, it enables developers to identify potential vulnerabilities in their code with more confidence than traditional static analyzers.

Details

Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub's code scan can now be enabled in users' public repositories to allow them to discover security flaws in their code bases. The service also takes care of the study of third-party resources.

According to the official announcement, code scanning is designed for developers; it runs only the actionable security rules by default so that one can stay focused on the task at hand.

Developers who want to integrate security in their CI/CD pipelines, shift-left security, and apply DevSecOps best practices can integrate code scanning with GitHub Actions.

Code scanning scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences, automating security as a part of the software development workflow. This helps ensure vulnerabilities never make it to production in the first place.

Github states that developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. Given industry data shows that less than 30% of all flaws are fixed one month after discovery.

GitHub had 132 community contributions to CodeQL’s open-sourced query set and has partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL.

Code scanning is powered by CodeQL—the world’s most powerful code analysis engine. You can use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to easily find and prevent new security concerns.
Justin Hutchings
Senior Product Manager - Security & Open Source Intelligence, Github