One year after acquiring software security scanning specialist Semmle, and following a successful five-month beta process, GitHub is making its CodeQL code analysis capabilities available publicly, helping teams and individuals do more to create secure applications via a community-driven, developer-first approach.
During the beta process, 12,000 repositories were scanned 1.4 million times, with more than 20,000 security issues uncovered, including multiple instances of remote code execution (RCE), SQL injection and cross site scripting (XSS) vulnerabilities.
GitHub said developers and maintainers using the feature fixed almost three-quarters of disclosed bugs in the past 30 days – a substantial leap considering that, in general, less than one-third of bugs are fixed within a month.
GitHub product manager Justin Hutchings said that when integrated with GitHub Actions or a user’s existing CI/CD environment, the service would maximise flexibility for development teams.
“Instead of overwhelming you with linting suggestions, code scanning runs only the actionable security rules by default, so that you can stay focused on the task at hand,” said Hutchings.
“It scans code as it is created and surfaces actionable security reviews within pull requests and other GitHub experiences you use every day, automating security as a part of your workflow. This helps ensure vulnerabilities never make it to production in the first place.”
The platform has also registered 132 community contributions to CodeQL’s open-sourced query set, and partnered with multiple security suppliers in both the open source and commercial space to allow developers to run CodeQL and industry solutions for static application security testing (Sast), container scanning, and infrastructure as code validation side-by-side in GitHub’s native code-scanning experience.
Users will also be able to integrate third-party scanning engines to view results from all their security tools in a single interface, and export multiple scan results through a single API. Hutchings said GitHub planned to share more on its extensibility capabilities soon.
The service will be offered free for public GitHub repositories, and more details on how to enable this can be found online. The feature will be made available to private repositories through GitHub Enterprise’s paid-for Advanced Security options.
Users interested in helping secure the open source ecosystem are, as ever, invited to chime in and contribute to the CodeQL community on GitHub.