GitHub launches code scanning to find vulnerabilities


GitHub is officially releasing a new code scanning tool aimed at helping developers find bugs in their code before it is deployed to production.

Vulnerability Inline (Image courtesy:
Vulnerability Inline (Image courtesy:
Key Facts
  1. 1

    Code scanning is a feature you use in a GitHub repository to review the software and identify security flaws and errors in code.

  2. 2

    Developers can use code scanning to find, triage, and prioritize fixes for existing problems in their code.

  3. 3

    Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.

  4. 4

    To extend this feature and enable monitoring results from code scanning across repositories or organizations, developers can use the code scanning API.

  5. 5

    You can use CodeQL, a semantic code analysis engine with code scanning. CodeQL treats code as data. According to Github, it enables developers to identify potential vulnerabilities in their code with more confidence than traditional static analyzers.


Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub's code scan can now be enabled in users' public repositories to allow them to discover security flaws in their code bases. The service also takes care of the study of third-party resources.

According to the official announcement, code scanning is designed for developers; it runs only the actionable security rules by default so that one can stay focused on the task at hand.

Developers who want to integrate security in their CI/CD pipelines, shift-left security, and apply DevSecOps best practices can integrate code scanning with GitHub Actions.

Code scanning scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences, automating security as a part of the software development workflow. This helps ensure vulnerabilities never make it to production in the first place.

Github states that developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. Given industry data shows that less than 30% of all flaws are fixed one month after discovery.

GitHub had 132 community contributions to CodeQL’s open-sourced query set and has partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL.

Code scanning is powered by CodeQL—the world’s most powerful code analysis engine. You can use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to easily find and prevent new security concerns.
Justin Hutchings
Senior Product Manager - Security & Open Source Intelligence, Github

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories

What You Should Know About Serverless Databases

Serverless databases are used by organizations that are either fully transitioned or are still transitioning …

200 Million Certificates in 24 Hours

Let's Encrypt has been providing free Certificate Authority (CA) for websites in need of them …

Gatling VS K6

Gatling and K6 are performance load testing tools, and they are both open source, easy …

Red Hat Ansible Platform 1 vs 2; What’s the Difference?

Red Hat Ansible is a platform used by enterprises to manage, unify and execute infrastructure …

Domino Data Labs Raised $100 Million in the Latest Funding Round

Culled from the news released by Domino Data labs on funding and the company's progress …

New Release: The Microsoft Azure Purview Is Now Available on General Availability

News report detailing the announcement of the release of Azure purview on GA