GitHub officially released new scanning code tool. It is designed to help developers find bugs in their code before it goes live. The new functionality is the product of the acquisition last year when GitHub acquired the Semmle Code Analysis Platform located in San Francisco. At the time of acquisition, Microsoft-owned code-hosting platform also announced that Semmle’s CodeQL research engine will be available natively across both open source and enterprise repositories.
Github Code Scanning
Github Code scanning is a functionality to examine the code in your GitHub repository to identify security vulnerabilities and encoding errors. Any problems found in the code files are shown in the GitHub. You can also use this scanning to sort, locate, and prioritize fixes for current issues in your code.
This scan of code also stops developers from creating new problems. You can schedule scans for particular days and times. Or you can activate scans when a particular event happens in the repository, such as a push. If scanning of code detects a possible flaw or mistake in your code, GitHub shows a warning in the repository. After you have patched the code that caused the warning, GitHub closes the warning. You may use the code scanning API to track the effects of this scanning through your repositories or your organization.
Developer First Code scanning Tool
GitHub Scanning is a developer-first, GitHub-native method that can quickly detect security vulnerabilities until resolved. Code scanning is first developed for developers. Instead of flooding you with lining recommendations, code scanning only runs the security rules that can be used by default. So that you can remain focused on the job at hand. It integrates with GitHub Actions or the current CICD environment in order to optimize versatility for the team. It scans the code as it is generated and the surfaces of actionable security checks inside pull requests. Other GitHub experiences that you use as part of your workflow every day, automating protection. This helps to ensure that bugs never result in output in the first place. You can use the 2,000 + CodeQL queries developed by GitHub and the community
Enable Code scanning for public and private repositories
- Scanning of code for public repositories is free of charge.
- For private repositories, it is available from GitHub Enterprise via Advanced Protection.
- For those interested in helping to protect an open-source environment, they are also inviting you to add to an increasing list of CodeQL queries and become part of our growing security community.
Enable code scanning for a repository using GitHub Actions
You will allow scanning of code for the repository of your project:
- Go to the repository main page on GitHub.
- Click Security under your repository name.
- Press Set up code scanning to the right of Code scanning.
- Click Set this workflow on the CodeQL review or on a third-party workflow to start code scanning.
- Edit the workflow to configure how to scans the code.
- Use the Start Command drop-down and type the commit code.
- Choose if you want to commit directly to the default branch, or build a new branch and launch a pull request.
- Select Start a new file or Suggest a new file.
you can also enable scan using CI (Continuous Integration).
View performance logging after scan
After you allow the scanning for your repository, you can watch the performance of the actions as they run.
- Choose Actions under the name of your file.
- Tap the entry for the workflow scanning code.
- Select the name of the work on the left.
- Check the logging output of the activities in this workflow as they are running.
- When all the job completes, you will see the specifics of any code scanning warnings that have been found.
Code Scanning to defend against Security Breaches
It is estimated that nearly 60% of security breaches contain unpatched vulnerabilities. Fixing vulnerabilities takes quite time from identify, report to fix them. This fixes of the bug and warns the group to upgrade the patch or apply latest version. But It still requires someone to identify the bug, either by manually testing the code and attached libraries or by penetration testing, which may take months.
GitHub’s latest code scanning feature is a static application security testing (SAST) software that works by translating code to a queryable format and then searching for vulnerabilities patterns. It automatically detects real-time bugs and errors in changes, flagging them to the devs before the code goes live in production.
According to DarkReading, On an average only 15% of Bugs are patched within one week after detection, 30% percent within a month and 45% within 3 months of detection. So far Github, scanned more than 12,000 repositories and 1.4+ million times during its beta phase and it also uncovered 20,000+ vulnerabilities in this process.
Conclusion
Code Scanning has been available to GitHub beta testers since May when it was first revealed at the GitHub Satellite Conference publically. Since then, GitHub claims that this function has been using to conduct more than 1.4 million scans on more than 12,000 repositories. Over 20,000 vulnerabilities were establishing, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.
GitHub’s latest Code scanning are going some way to free up security researchers to concentrate on other mission-critical vulnerabilities. There are several vulnerabilities that share similar attributes at their source. In addition, GitHub now aims to automatically identify all combinations of these errors, allowing security researchers to check for entirely new groups of vulnerabilities. Moreover, it does so as a native tool collection directly baked in GitHub.