- ‣ NSA Recommends the Use of TLS 1.2 or TLS 1.3 as Other TLS Versions Prove Obsolete
- ‣ Cockroach Labs publishes the 2021 Cloud Report
- ‣ The United Nations Suffers a Data Breach, Exposing 100,000 Employee Details
- ‣ KubeSphere Extends Collaboration To Amazon Web Services
- ‣ Red Hat To Acquire StackRox and Bring More Security To OpenShift Platform
- ‣ DataStax Releases K8ssandra – The Latest Production-Ready Platform for Running Apache Cassandra on Kubernetes
- ‣ AWS Launches Location Service, Opening New Opportunities For Developers
- ‣ GDPR Violations Lead To $66,000 Fine for Swedish University
- ‣ CloudLinux To Invest A Million Dollars Annually In Project Lenix
- ‣ Google Launches Machine Query Language in General Availability for Cloud Monitoring
- ‣ AWS Launches Service Workbench for Researchers
- ‣ AWS Batch Support Now Available for AWS Fargate
- ‣ Highest-Rated Cloud Computing Companies to Work For in 2021
- ‣ Mirantis Launches k0s - The Smallest, Simplest Kubernetes Distro
- ‣ AWS Fault Injection Simulator Improves Cloud Chaos Engineering
- ‣ China claims it’s quantum computer is 100 trillion times faster than any supercomputer
- ‣ Red Hat OpenShift to Support Windows Containers from 2021
GitHub launches code scanning to find vulnerabilities
Oct. 5, 2020, 1:56 p.m. in DevSecOps
GitHub is officially releasing a new code scanning tool aimed at helping developers find bugs in their code before it is deployed to production.
Code scanning is a feature you use in a GitHub repository to review the software and identify security flaws and errors in code.
Developers can use code scanning to find, triage, and prioritize fixes for existing problems in their code.
Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.
To extend this feature and enable monitoring results from code scanning across repositories or organizations, developers can use the code scanning API.
You can use CodeQL, a semantic code analysis engine with code scanning. CodeQL treats code as data. According to Github, it enables developers to identify potential vulnerabilities in their code with more confidence than traditional static analyzers.
Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub's code scan can now be enabled in users' public repositories to allow them to discover security flaws in their code bases. The service also takes care of the study of third-party resources.
According to the official announcement, code scanning is designed for developers; it runs only the actionable security rules by default so that one can stay focused on the task at hand.
Developers who want to integrate security in their CI/CD pipelines, shift-left security, and apply DevSecOps best practices can integrate code scanning with GitHub Actions.
Code scanning scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences, automating security as a part of the software development workflow. This helps ensure vulnerabilities never make it to production in the first place.
Github states that developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. Given industry data shows that less than 30% of all flaws are fixed one month after discovery.
GitHub had 132 community contributions to CodeQL’s open-sourced query set and has partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL.
Code scanning is powered by CodeQL—the world’s most powerful code analysis engine. You can use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to easily find and prevent new security concerns.Justin HutchingsSenior Product Manager - Security & Open Source Intelligence, Github