Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

GitHub Tool Spots Security Vulnerabilities in Code

Scanner, which just became generally available, lets developers spot problems before code gets into production.

A code-scanning capability that GitHub has been testing for the past several months is now generally available for organizations using the platform as part of their software development process.

The scanner is based on CodeQL, a code analysis technology that GitHub acquired from its purchase of Semmle last year. It gives developers a way to scan code for security vulnerabilities during development and to address the issues before the code gets into production.

Related Content:

GitHub Initiative Seeks to Secure Open Source Code

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

GitHub released the first beta of the natively integrated code scanner at its GitHub Satellite virtual event earlier this year. Since then, more than 6,000 user accounts — belonging to both individuals and organizations — have enabled code scanning on their GitHub repositories, says Justin Hutchings, product manager at GitHub.

Over 12,000 repositories on GitHub have been scanned a total of 1.4 million times since the scanner went into beta. Over that period, the scanner has helped uncover more than 20,000 security issues in code stored on GitHub, including remote execution flaws, SQL injection errors, and cross-site scripting flaws, according to GitHub.

"Thanks to their testing and feedback, we're confident that code scanning is ready for the wider community," Hutchings says. "The code-scanning beta proved the hypothesis that if you build security tooling for developers first, developers will use it. According to Hutchings, GitHub made multiple improvements to the product based on feedback from beta users of the code scanner so it meets requirements of the open source community and commercial organizations.

More source code is currently stored on GitHub than any other platform. Some 50 million developers and 2.9 million businesses worldwide collectively use GitHub to host a staggering 100 million code repositories. Since launching as a place for individual developers to securely host and manage code revisions back in 2008, GitHub has grown into the most widely used platform for managing software development projects worldwide.

In 2011 GitHub launched an enterprise version of the platform that organizations can use on-premise to manage software projects. In 2017, it launched an enterprise cloud version of the technology. Microsoft acquired GitHub for $7.5 billion in 2018. Some of its better-known customers include Facebook, American Airlines, Dow Jones, and 3M.

Ongoing Effort
Hutchings says the new code-scanning feature is part of GitHub's ongoing effort to help secure the open source software ecosystem. In 2019, GitHub launched Security Lab, an initiative under which it working with security researchers, developers, and others to detect and report bugs in popular open source projects. Among those participating in the effort are Microsoft, Google, HackerOne, and Intel.

Such efforts are important because in recent years a high number of data breaches have resulted from vulnerabilities, such as SQL injection efforts, input validation mistakes, and cross-site scripting flaws in web applications. Vulnerabilities in open source software in particular have been of high concern because of how widely used these components are in modern applications.

CodeQL, on which GitHub's new scanner is based, is a semantic code analysis tool that lets developers query software code like it was data. GitHub has described the tool as allowing developers to write a query for all variants of a security vulnerability and then sharing the query with others so they can look for the same issues in their code as well.

Code scanning is free for public repositories and available as an add-on as part of GitHub Advanced Security for GitHub Enterprise Server and GitHub Enterprise Cloud, Hutchings says. Its unique proposition is in shifting security left, or earlier, in the security development life cycle. "It allows enterprise security teams to scan every commit made to their applications and to provide feedback automatically during code review," Hutchings says.

Such feedback can help developers address issues faster. In the last 30 days of GitHub's beta, developers and maintainers using the platform fixed 72% of the security issues they identified in their code he says. "We were extremely pleased to see this direct positive impact … given industry data shows that less than 30% of all flaws are fixed one month after discovery."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.