eCommerceNews New Zealand - Technology news for digital commerce decision-makers
New Zealand
Guides
#
business intelligence
#
commerce systems
#
customer data platforms
#
marketing technologies
#
payment gateways
Search
Story image
#
App development
#
APM
#
Application Security
GitHub's code vulnerability scanning tool now generally available
Fri, 16th Oct 2020
FYI, this story is more than a year old
By Staff Writer
Follow us

GitHub has recently rolled out code scanning to help developers detect and prevent vulnerabilities from popping up in their open source and enterprise code.

Code scanning, which was released from beta to general availability in early October, aims to automate security directly into the developer workflow, furthering 'security by design' approach to applications and coding.

GitHub adds that more than half of breaches are caused by vulnerabilities in application code - and many of these vulnerabilities are recurring patterns.

Since GitHub introduced code scanning capabilities in May, users have scanned more than 12,000 repositories upwards of 1.4 million times. These scans uncovered more than 20,000 security issues, many of which related to RCE and XSS issues. 
In the last 30 days, users fixed 72% of reported security errors that were identified in their pull requests.

CodeQL is a code analysis engine that contains more than 2000 queries created by users and GitHub itself. CodeQL is also what powers the code scanning tool.

The company also states that it has received 132 community contributions towards CodeQL's open sourced query set.

According to GitHub, code scanning integrates with GitHub Actions or CI/CD to improve flexibility.

“It scans code as it's created and surfaces actionable security reviews within pull requests and other GitHub experiences you use every day, automating security as a part of your workflow. This helps ensure vulnerabilities never make it to production in the first place,” the company states.

The company also states that it has partnered with more than 12 open source and commercial security vendors to allow developers to run CodeQL and solutions for SAST, container scanning, and infrastructure as code validation side-by-side in GitHub's native code scanning experience.

“Built on the open SARIF standard, code scanning is extensible so you can include open source and commercial static application security testing (SAST) solutions within the same GitHub-native experience you love. You can integrate third-party scanning engines to view results from all your security tools in a single interface and also export multiple scan results through a single API.

“For those interested in helping to secure the open source ecosystem, we also invite you to contribute to the growing list of CodeQL queries and become part of our growing security community.

The company will release more information about extensibility capabilities and partner ecosystem soon.

Public repositories can use GitHub's code scanner for free.  Private repositories can use GitHub's code scanner through the GitHub Enterprise through Advanced Security.

Related stories
GitHub boosts security & power with new Actions enhancements
AI foundries & digital factories will change humankind, NVIDIA CEO says
Navigating the tumultuous waves of Oracle Java pricing and licensing changes
STX Next unveils AI-powered development tool DEEP Next
OutSystems unveils Data Fabric to boost developer prowess & agility
Top stories
Sapro-Tech forms strategic partnership with top NZ fashion firms
TeamViewer & Deloitte partner to advance vision picking in warehouses
Qvest unveils AI adoption strategies in top media companies at NAB
Exclusive: How Fluent Commerce is shaking up the OMS industry
Wolt expands tailored ad service to aid partner growth