GitHub Code Scanning

2020: The announcement of GitHub Code Scanning - an automatic vulnerability scanner for software developers

At the beginning of October, 2020 GitHub started a new feature under the name GitHub Code Scanning ("scanning of the GitHub code") which automatically finds vulnerabilities in projects of software developers. This addition not only will make GitHub feature set more competitive, but also will potentially increase security of an ecosystem open source in general.

The new vulnerability scanner is based on the CodeQL tool which GitHub received in 2019 as a result of acquisition of a startup. CodeQL allows developers to create the description abstraction of a security concern, and then to scan the program projects regarding the code which matches the description. CodeQL executes scanning without participation of the person that allows to analyze large bases of the code much quicker, than at manual approach.

GitHub provided an automatic vulnerability scanner for software developers

Developers got access to 2000 templates of scanning CodeQL. The errors found in the project are displayed in the GitHub interface therefore developers will be able to see as far as we will wound their code for hackers before publishing it. Besides, CodeQL can be integrated with instruments of automation which will prevent adding of the vulnerable code in internal repositories of the software.

GitHub is going to expand initial feature set over time. GitHub products manager Justin Hutchings reported that developers will have an opportunity to expand a set of templates of scanning CodeQL by default, creating own requests. Besides, the division of Microsoft prepares integration with additional products for scanning of vulnerabilities of other companies to reveal broader spectrum of security concerns in the code of users.^[1]

Notes