What does code scanning do?
Simple. Code scanning integrates with GitHub Actions, or your existing CI/CD environment, to scans code as and when it's created and surfaces actionable security reviews within pull requests and other GitHub experiences you use everyday, automating security as a part of your workflow. This helps ensure vulnerabilities can be mitigated even before they make it to production.
Introduced in May at the GitHub Satellite as a beta release, code scanning has shown promising results:
Built on the open SARIF standard, code scanning is powered by CodeQL, the world’s most powerful code analysis engine. It is extensible, so you can include open source and commercial static application security testing (SAST) solutions within the same GitHub-native experience. You can also integrate third-party scanning engines to view results from all your security tools in a single interface and also export multiple scan results through a single API.
Yesterday GitHub announced that code scanning is available for free for the public repositories and as a GitHub Advanced Security feature for GitHub Enterprise. You can read this to know more about how you too can enable code scanning for your GitHub repositories. And while you are at it, don't forget to Like us on Facebook.