GitHub developers announced the launch of a new Code Scanning feature that allows you to scan your code for vulnerabilities. Previously, the new product worked in test mode (since May 2020), but now it has become available to all users, both paid and free. Enable new feature can be in the Security tab.
GitHub says the new feature "helps prevent vulnerabilities from entering production by analyzing every pull request, commit, and merge, recognizing vulnerable code as soon as it is created." If vulnerabilities are found, the scanner will offer the developer to revise their code.
Code Scanning runs on top of CodeQL, a technology that GitHub has integrated into its platform after it acquired Semmle analytics platform in September 2019. In essence, this will allow developers to create rules to detect different versions of the same bug in large arrays of code.
GitHub has already created 2,000 predefined CodeQL queries that users can use against their repositories and automatically check for the most basic vulnerabilities in new code. In addition, the scanner can be supplemented with custom CodeQL templates written by repository owners, or by connecting third-party open source solutions or commercial SAST products.
According to GitHub, the new feature has already been used for over 1.4 million scans of 12,000 repositories and has helped identify over 20,000 vulnerabilities, including remote code execution (RCE), SQL injection and cross-site scripting (XSS) vulnerabilities.