GitHub now allows developers to scan their code for the “default setup” repository, which hopefully will help them catch security issues before they escalate.
With this new feature, Github says developer (opens in new tab) will be able to configure the repository automatically and with as little effort as possible.
GitHub’s code scanning is powered by its CodeQL engine, and while it supports a variety of compilers, the feature is only available for Python, JavaScript, and Ruby so far. That should change soon, said GitHub’s Walker Chabbott, as the company now looks to expand support to more languages by the summer.
Simplification of troubleshooting
Those interested in testing the new feature should open their repository’s settings, navigate to “Code Security and Analysis” and click the “Setup” dropdown menu. There you will find the option “Standard”.
“If you click ‘Default,’ you’ll automatically see a customized configuration summary based on what’s in the repository,” Chabbott said in the blog post. “This includes the languages detected in the repository, the query packages used, and the events that trigger scans. In the future, these options will be customizable.”
Once Activate CodeQL is enabled, the feature will automatically start checking for errors in the repository.
The CodeQL code analysis engine, Beeping computer remembered, was added to the GitHub platform in September 2019 after its acquisition.
After a year of beta testing, general availability was announced in September 2020. During the beta phase, the tool scanned more than 12,000 repositories 1.4 million times and found more than 20,000 vulnerabilities. Some of these were of high severity, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS).
Scanning the code is free for everyone, the publication added, noting that enterprise users can also benefit from it via GitHub Advanced Security for GitHub Enterprise.
Above: Beeping computer (opens in new tab)
