GitHub launches code scanning to find vulnerabilities


GitHub is officially releasing a new code scanning tool aimed at helping developers find bugs in their code before it is deployed to production.

Vulnerability Inline (Image courtesy:
Vulnerability Inline (Image courtesy:
Key Facts
  1. 1

    Code scanning is a feature you use in a GitHub repository to review the software and identify security flaws and errors in code.

  2. 2

    Developers can use code scanning to find, triage, and prioritize fixes for existing problems in their code.

  3. 3

    Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.

  4. 4

    To extend this feature and enable monitoring results from code scanning across repositories or organizations, developers can use the code scanning API.

  5. 5

    You can use CodeQL, a semantic code analysis engine with code scanning. CodeQL treats code as data. According to Github, it enables developers to identify potential vulnerabilities in their code with more confidence than traditional static analyzers.


Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub's code scan can now be enabled in users' public repositories to allow them to discover security flaws in their code bases. The service also takes care of the study of third-party resources.

According to the official announcement, code scanning is designed for developers; it runs only the actionable security rules by default so that one can stay focused on the task at hand.

Developers who want to integrate security in their CI/CD pipelines, shift-left security, and apply DevSecOps best practices can integrate code scanning with GitHub Actions.

Code scanning scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences, automating security as a part of the software development workflow. This helps ensure vulnerabilities never make it to production in the first place.

Github states that developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. Given industry data shows that less than 30% of all flaws are fixed one month after discovery.

GitHub had 132 community contributions to CodeQL’s open-sourced query set and has partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL.

Code scanning is powered by CodeQL—the world’s most powerful code analysis engine. You can use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to easily find and prevent new security concerns.
Justin Hutchings
Senior Product Manager - Security & Open Source Intelligence, Github

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …