Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News GitHub Code Scanning Is out of Beta

GitHub Code Scanning Is out of Beta

This item in japanese

One year ago GitHub announced the acquisition of Semmle, maker of a semantic code analysis engine powered by the Semmle QL query language. After a few months in beta, GitHub is now announcing the availability of its new CodeQL-based code scanning capability for all public and private repos.

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

According to industry data, GitHub says, less than 30% of security issues are fixed within one month of their discovery. GitHub code scanning aims to identify vulnerabilities as early as possible in the development cycle and to prevent it from reaching production. Those include security issues such as remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.

CodeQL provides over 2,000 ready-to-use queries and allows you to define custom queries to extend its capacity to detect new security concerns. The set of queries supported by CodeQL is itself open source and has received 132 contributions from the community during the beta. CodeQL supports both compiled and interpreted languages, including C/C++, C#, Go, Java, JavaScript/TypeScript, and Python.

Code scanning is integrated with GitHub Actions and supports the open SARIF standard, an interoperability standard for detecting software defects and vulnerabilities. SARIF defines a common input and output format for code analysis tools aimed at enabling their mutual integration. For example, SARIF makes it possible to combine and compare results produced by multiple tools.

According to GitHub, since its introduction as a beta last May, GitHub code scanning has been widely adopted by the community, with over 12,000 repositories scanned and more than 20,000 security issues identified.

Developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days.

GitHub's announcement brought up an interesting conversation on Hacker News about developer fatigue potentially ensuing from false positives generated by code analysis tools. Allegedly, though, GitHub code scanning should be able to mitigate this problem thanks to its rule set being fully configurable.

Rate this Article