>
With GitHub, developers can now scan their code against the “default setup” repository, which hopefully helps them spot any security vulnerabilities before they escalate.
With this new feature, Github says developers (opens in new tab) will be able to configure the repository automatically with as little effort as possible.
GitHub’s code scanning is powered by the CodeQL engine, and while it supports a wide variety of compilers, the feature is only available for Python, JavaScript, and Ruby so far. That should change soon, said GitHub’s Walker Chabbott, as the company now tries to extend support to other languages before the summer.
Simplifying bug searching
Those wanting to test the new feature should open their repository’s settings, navigate to “Code Security and Analysis” and click the “Setup” drop-down menu. There they will find the option “Default”.
“If you click ‘Default’, you will automatically see a customized configuration summary based on the contents of the repository,” Chabbott said in the blog post. “This includes the languages that will be detected in the repository, the query packages that will be used, and the events that trigger scans. These options will be customizable in the future.”
Once “Enable CodeQL” is enabled, the feature will automatically look for errors in the repository.
CodeQL’s code analysis engine, Beeping computer recalls, was added to the GitHub platform in September 2019, following the latter’s acquisition.
After a year of beta testing, general availability was announced in September 2020. During the beta phase, the tool scanned more than 12,000 repositories, 1.4 million times, and found more than 20,000 security vulnerabilities. Some of these were very serious, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS).
Scanning the code is free for everyone, the publication added, highlighting that Enterprise users can also benefit from it, via GitHub Advanced Security for GitHub Enterprise.
Through: Beeping computer (opens in new tab)