With cybersecurity being top of mind for most people given the increasing frequency of attacks during the COVID-19 pandemic, it may be helpful to have a second set of eyes run through your code before making it available to the public. This is the thinking behind the new code scanning feature from GitHub.
The Microsoft-owned code repository has been testing out this feature for a number of months, but today marks the first time that developers will have open access to it.
“Code scanning is designed for developers first. Instead of overwhelming you with linting suggestions, code scanning runs only the actionable security rules by default so that you can stay focused on the task at hand,” explains Justin Hutchings, senior product manager for security and open source intelligence at the repository.
“Code scanning integrates with GitHub Actions—or your existing CI/CD environment—to maximize flexibility for your team. It scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences you use everyday, automating security as a part of your workflow. This helps ensure vulnerabilities never make it to production in the first place,” he adds.
As for what the response has been like to the new offering, as well as its effectiveness, it appears to be doing a great job on both fronts.
GitHub notes that it has scanned over 12 000 repositories, 1.4 million times, and found more than 20 000 security issues including, remote code execution (RCE), SQL injection, and cross site scripting (XSS) vulnerabilities.
Perhaps more importantly, the repository adds that developers and maintainers fixed 72 percent of reported security errors identified in their pull requests before merging in the last 30 days. This is significant as the industry standard for fixed flaws within 30 days of discovery sits far lower at 30 percent, according to GitHub.
With this being a rather handy new feature, it should prove interesting to see how many more flaws it helps identify and fix in the coming months.
