GitHub has this week announced the availability of its new Code Scanning feature providing an easy way for developers to check their code for security vulnerabilities. Code scanning integrates with GitHub Actions—or your existing CI/CD environment, to maximize flexibility for your team. The new feature scans code as it’s created and surfaces “actionable security reviews within pull requests” helping stop vulnerabilities making their way to production.
“GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. We’re thrilled to announce the general availability of code scanning. You can enable it on your public repository today!”
“GitHub code scanning is designed for developers first. Instead of overwhelming you with linting suggestions, code scanning runs only the actionable security rules by default so that you can stay focused on the task at hand. Write safer code from day one with end-to-end security. GitHub helps you address vulnerabilities earlier and ship secure applications.”
Code scanning is free for public repositories and is a GitHub Advanced Security feature for GitHub Enterprise. Since introducing the beta back in May :
- We’ve scanned over 12,000 repositories 1.4 million times, and found more than 20,000 security issues including remote code execution (RCE), SQL injection, and cross site scripting (XSS) vulnerabilities.
- Developers and maintainers fixed 72% of reported security errors identified in their pull requests before merging in the last 30 days. We’re proud to see this impact, given industry data shows that less than 30% of all flaws are fixed one month after discovery.
- We’ve had 132 community contributions to CodeQL’s open sourced query set.
- We’ve partnered with more than a dozen open source and commercial security vendors to allow developers to run CodeQL and industry leading solutions for SAST, container scanning, and infrastructure as code validation side-by-side in GitHub’s native code scanning experience.