LATEST UPDATES
latest

How to enable Code Scanning on GitHub?

how to enable code scanning on github
About a year ago, GitHub welcomed Semmle. A quick background on Semmle, they were formed in 2006 with the unique idea that a source code can be queried like any other type of data. Trusted by security teams over at Uber, NASA, Microsoft, Google, to name a few, Semmle has helped find thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 CVEs in open source projects to date. Semmle has helped GitHub introduce a new, exciting, and extremely useful feature; code scanning!

What does code scanning do?
Simple. Code scanning integrates with GitHub Actions, or your existing CI/CD environment, to scans code as and when it's created and surfaces actionable security reviews within pull requests and other GitHub experiences you use everyday, automating security as a part of your workflow. This helps ensure vulnerabilities can be mitigated even before they make it to production.

Introduced in May at the GitHub Satellite as a beta release, code scanning has shown promising results:

  • It has scanned over 12,000 repositories 1.4 million times
  • Within them, it has found more than 20,000 security issues
  • These security issues includes remote code execution (RCE), SQL injection, and cross site scripting (XSS) vulnerabilities
  • In the last 30 days, around 72% of these reported security errors were identified in their pull requests before merging

    Built on the open SARIF standard, code scanning is powered by CodeQL, the world’s most powerful code analysis engine. It is extensible, so you can include open source and commercial static application security testing (SAST) solutions within the same GitHub-native experience. You can also integrate third-party scanning engines to view results from all your security tools in a single interface and also export multiple scan results through a single API.

    Yesterday GitHub announced that code scanning is available for free for the public repositories and as a GitHub Advanced Security feature for GitHub Enterprise. You can read this to know more about how you too can enable code scanning for your GitHub repositories. And while you are at it, don't forget to Like us on Facebook.
    « PREV
    NEXT »