Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

GitHub Tool Spots Security Vulnerabilities in Code

Scanner, which just became generally available, lets developers spot problems before code gets into production.

A code-scanning capability that GitHub has been testing for the past several months is now generally available for organizations using the platform as part of their software development process.

The scanner is based on CodeQL, a code analysis technology that GitHub acquired from its purchase of Semmle last year. It gives developers a way to scan code for security vulnerabilities during development and to address the issues before the code gets into production.

Related Content:

GitHub Initiative Seeks to Secure Open Source Code

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

GitHub released the first beta of the natively integrated code scanner at its GitHub Satellite virtual event earlier this year. Since then, more than 6,000 user accounts — belonging to both individuals and organizations — have enabled code scanning on their GitHub repositories, says Justin Hutchings, product manager at GitHub.

Over 12,000 repositories on GitHub have been scanned a total of 1.4 million times since the scanner went into beta. Over that period, the scanner has helped uncover more than 20,000 security issues in code stored on GitHub, including remote execution flaws, SQL injection errors, and cross-site scripting flaws, according to GitHub.

"Thanks to their testing and feedback, we're confident that code scanning is ready for the wider community," Hutchings says. "The code-scanning beta proved the hypothesis that if you build security tooling for developers first, developers will use it. According to Hutchings, GitHub made multiple improvements to the product based on feedback from beta users of the code scanner so it meets requirements of the open source community and commercial organizations.

More source code is currently stored on GitHub than any other platform. Some 50 million developers and 2.9 million businesses worldwide collectively use GitHub to host a staggering 100 million code repositories. Since launching as a place for individual developers to securely host and manage code revisions back in 2008, GitHub has grown into the most widely used platform for managing software development projects worldwide.

In 2011 GitHub launched an enterprise version of the platform that organizations can use on-premise to manage software projects. In 2017, it launched an enterprise cloud version of the technology. Microsoft acquired GitHub for $7.5 billion in 2018. Some of its better-known customers include Facebook, American Airlines, Dow Jones, and 3M.

Ongoing Effort
Hutchings says the new code-scanning feature is part of GitHub's ongoing effort to help secure the open source software ecosystem. In 2019, GitHub launched Security Lab, an initiative under which it working with security researchers, developers, and others to detect and report bugs in popular open source projects. Among those participating in the effort are Microsoft, Google, HackerOne, and Intel.

Such efforts are important because in recent years a high number of data breaches have resulted from vulnerabilities, such as SQL injection efforts, input validation mistakes, and cross-site scripting flaws in web applications. Vulnerabilities in open source software in particular have been of high concern because of how widely used these components are in modern applications.

CodeQL, on which GitHub's new scanner is based, is a semantic code analysis tool that lets developers query software code like it was data. GitHub has described the tool as allowing developers to write a query for all variants of a security vulnerability and then sharing the query with others so they can look for the same issues in their code as well.

Code scanning is free for public repositories and available as an add-on as part of GitHub Advanced Security for GitHub Enterprise Server and GitHub Enterprise Cloud, Hutchings says. Its unique proposition is in shifting security left, or earlier, in the security development life cycle. "It allows enterprise security teams to scan every commit made to their applications and to provide feedback automatically during code review," Hutchings says.

Such feedback can help developers address issues faster. In the last 30 days of GitHub's beta, developers and maintainers using the platform fixed 72% of the security issues they identified in their code he says. "We were extremely pleased to see this direct positive impact … given industry data shows that less than 30% of all flaws are fixed one month after discovery."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.