GitHub is officially launching a new code-scanning tool today, designed to help developers identify vulnerabilities in their code before it’s deployed to the public.
The new feature is the result of an acquisition last year when GitHub snapped up San Francisco-based code analysis platform Semmle; the Microsoft-owned code-hosting platform revealed at the time that it would make Semmle’s CodeQL analysis engine available natively across all open source and enterprise repositories. After several months in beta, code scanning is now rolling out to all developers.
It’s estimated that some 60% of security breaches involve unpatched vulnerabilities. Moreover, 99% of all software projects are believed to contain at least one open source component, meaning that dodgy code can have a significant knock-on impact for many companies.
Typically, fixing vulnerabilities requires a researcher to first find the vulnerability and disclose it to the repository maintainer, who fixes the issue and alerts the community, who then update their own projects to the fixed version. In a perfect world, this process would take minutes to complete, but in reality it takes much longer than that — it first requires someone to find the vulnerability, either by manually inspecting code or through pentesting, which can take months. And then comes the process of finding and notifying the maintainer and waiting for them to roll out a fix.
GitHub’s new code-scanning functionality is a static application security testing (SAST) tool that works by transforming code into a queryable format, then looking for vulnerability patterns. It automatically identifies vulnerabilities and errors in code changes in real time, flagging them to the developer before the code goes anywhere near production.
Data suggests that only 15% of vulnerabilities are fixed one week after discovery, a figure that rises to nearly 30% within a month and 45% after three months. According to GitHub, during its beta phase it scanned more than 12,000 repositories more than 1 million times, unearthing 20,000 security issues in the process. Crucially, the company said that developers and maintainers fixed 72% of these code errors within 30 days.
There are other third-party tools out there already designed to help developers find faults in their code. London-based Snyk, which recently raised $200 million at a $2.6 billion valuation, targets developers with an AI-powered platform that helps them identify and fix flaws in their open source code.
This helps to highlight how automation is playing an increasingly big role in not only scaling security operations, but also plugging the cybersecurity skills gap — GitHub’s new code-scanning smarts go some way toward freeing up security researchers to focus on other mission-critical work. Many vulnerabilities share common attributes at their roots, and GitHub now promises to find all variations of these errors automatically, enabling security researchers to hunt for entirely new classes of vulnerabilities. Moreover, it does so as a native toolset baked directly into GitHub.
GitHub’s code scanning hits general availability today, and it is free to use for all public repositories. Private repositories can gain access to the feature through a GitHub Enterprise subscription.