GitHub Code Scanning aims to prevent vulnerabilities in open source software
GitHub has made available two new security features for open and private repositories: code scanning (as a GitHub-native experience) and secret scanning (both still in beta).
With the former, it aims to prevent vulnerabilities from ever being introduced into software and, ideally, help developers eliminate entire bug classes forever. With the latter, it wants to make sure that developers are not inadvertently leaking secrets (e.g., cloud tokens, passwords, etc.) in their repositories.
Code scanning (beta)
The code scanning feature, available for set up in every GitHub repository (in the Security tab), is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.
CodeQL can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but the code scanning feature can work with any analysis engine (and developers can choose others from the GitHub Marketplace).
While code analysis with CodeQL is not new, this new feature makes it part of the developers’ code review workflow.
With code scanning enabled, every ‘git push’ is scanned for potential security vulnerabilities. Results are displayed in the pull request for the developer to analyze, and additional information about the vulnerability and recommendations on how to fix things are offered, so they can learn from their mistakes.
Any public project can sign up for code scanning for free – GitHub will pay for the compute resources needed.
For a peek of how this will work in practice, check out this demonstration by Grey Baker, Director of Product Management at GitHub (start the video at 31:40):
Secret scanning (beta)
Secret scanning (formerly “token scanning”) has been available for public repositories since 2018, but it can now be used for private repositories as well.
“With over ten million potential secrets identified, customers have asked to have the same capability for their private code. Now secret scanning also watches private repositories for known secret formats and immediately notifies developers when they are found,” explained Shanku Niyogi, Senior VP of Product at GitHub.
“We’ve worked with many partners to expand coverage, including AWS, Azure, Google Cloud, npm, Stripe, and Twilio.”