GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. The company is thrilled to announce the general availability of code scanning and the users can enable it on their public repository!
One year ago, GitHub welcomed Semmle. Since then, the company has worked to bring the revolutionary code analysis capabilities of its CodeQL technology to GitHub users as a native capability. At GitHub Satellite in May, the first release of beta of their native integration: code scanning was introduced. Thousands of developers in the community have tested and gave feedback, and now, the company has announced that code scanning is generally available.
Code scanning to prevent security issues in code
Code scanning is designed for developers first. Instead of overwhelming users with linting suggestions, code scanning runs only the actionable security rules by default so that they can stay focused on the task at hand.
Code scanning integrates with GitHub Actions or user’s existing CI/CD environment to maximize flexibility for their team. It scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences users use everyday, automating security as a part of their workflow. This helps ensure vulnerabilities never make it to production in the first place.
Code scanning is powered by CodeQL, the world’s most powerful code analysis engine. Users can use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to easily find and prevent new security concerns.
30% flaws fixed in a month
Since introducing the beta in May, the company has seen tremendous adoption within the community. Scanned over 12,000 repositories 1.4 million times, and found more than 20,000 security issues including remote code execution (RCE), SQL injection, and cross site scripting (XSS) vulnerabilities.
Developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. The company states that, given industry data shows that less than 30% of all flaws are fixed one month after discovery.
GitHub has had 132 community contributions to CodeQL’s open sourced query set. They’ve partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL and industry leading solutions for SAST, container scanning, and infrastructure as code validation side-by-side in GitHub’s native code scanning experience.
Code scanning for public and private repositories
Code scanning is free for public repositories. For private repositories, code scanning is available to GitHub Enterprise through Advanced Security.
For those interested in helping to secure the open source ecosystem, we also invite you to contribute to the growing list of CodeQL queries and become part of our growing security community.