InfoQ Homepage News GitHub Code Scanning Is out of Beta
GitHub Code Scanning Is out of Beta
This item in japanese
Oct 02, 2020 1 min read
Write for InfoQ
Feed your curiosity. Help 550k+ globalsenior developers
each month stay ahead.Get in touch
One year ago GitHub announced the acquisition of Semmle, maker of a semantic code analysis engine powered by the Semmle QL query language. After a few months in beta, GitHub is now announcing the availability of its new CodeQL-based code scanning capability for all public and private repos.
You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
According to industry data, GitHub says, less than 30% of security issues are fixed within one month of their discovery. GitHub code scanning aims to identify vulnerabilities as early as possible in the development cycle and to prevent it from reaching production. Those include security issues such as remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.
CodeQL provides over 2,000 ready-to-use queries and allows you to define custom queries to extend its capacity to detect new security concerns. The set of queries supported by CodeQL is itself open source and has received 132 contributions from the community during the beta. CodeQL supports both compiled and interpreted languages, including C/C++, C#, Go, Java, JavaScript/TypeScript, and Python.
Code scanning is integrated with GitHub Actions and supports the open SARIF standard, an interoperability standard for detecting software defects and vulnerabilities. SARIF defines a common input and output format for code analysis tools aimed at enabling their mutual integration. For example, SARIF makes it possible to combine and compare results produced by multiple tools.
According to GitHub, since its introduction as a beta last May, GitHub code scanning has been widely adopted by the community, with over 12,000 repositories scanned and more than 20,000 security issues identified.
Developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days.
GitHub's announcement brought up an interesting conversation on Hacker News about developer fatigue potentially ensuing from false positives generated by code analysis tools. Allegedly, though, GitHub code scanning should be able to mitigate this problem thanks to its rule set being fully configurable.
This content is in the DevOps topic
Related Topics:
-
Related Editorial
-
Related Sponsors
-
Popular across InfoQ
-
Grafana and GitLab Introduce Serverless CI/CD Observability Integration
-
TanStack Start: A New Meta Framework Powered by React or SolidJS
-
Redis Critical Remote Code Execution Vulnerability Discovered after 13 Years
-
Java News Roundup: OpenJDK JEPs for JDK 26, Spring RCs, Quarkus, JReleaser, Seed4J, Gradle
-
GitHub Expands Copilot Ecosystem with AgentHQ
-
If You Can’t Test It, Don’t Deploy It: The New Rule of AI Development?
-
Related Content
The InfoQ Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example