Skip to main content

Github wants to kill off security bugs in your code for good

(Image credit: Pixabay)

Github has launched a new code scanning tool that it hopes will help developers spot bugs or vulnerabilities in their work.

The new feature, which is available now, allows developers to analyze their code in a GitHub repository to find security vulnerabilities and coding errors.

Any problems that are detected get displayed instantly via an alert in the repository, hopefully meaning that vulnerabilities never get deployed as part of a public release.

Github code scanning

"Code scanning is designed for developers first. Instead of overwhelming you with linting suggestions, code scanning runs only the actionable security rules by default so that you can stay focused on the task at hand," Justin Hutchings, GitHub Senior Product Manager - Security & Open Source Intelligence, wrote in a blog post announcing the news.

Github says that users can use code scanning to find, triage, and prioritize fixes for existing problems in your code, as well as stopping outside developers from introducing new problems. 

Users can also schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. The feature will work across nearly all of the most popular supported programming languages, including C/C++, Java, Python and JavaScript, and is free across public repositories.

Code scanning can also be used with the CodeQL semantic code analysis engine, which treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.

The launch is one of the first new features to be released since Github announced a major shake-up in how it keeps users informed about new changes and updates on its platform back in September.

For the first time, the Microsoft-owned database will start publicly publishing its roadmap for current and upcoming features.

Github has previously only shared details on new announcements at company events or trade shows, but says that in the current climate, more regular updates are needed.

Via VentureBeat