The Microsoft subsidiary, GitHub as announced the implementation of a code scanning system, Semmle, to improve repository security.
A year ago, GitHub welcomed Semmle to easily find security vulnerabilities before they reach production. Since then, they have been working to bring the code analysis capabilities of their CodeQL technology to GitHub users as a native capability.
The first beta version was released in May thanks to thousands of community developers who tested it and provided feedback, and the system is now widely available. Recently GitHub also released CLI 1.0 tool to bring almost the entire GitHub workflow into the terminal.
As we already mentioned, code scanning is powered by CodeQL, the world’s most powerful code analysis engine. Developers can use the 2,000+ CodeQL queries created by GitHub and the community or create custom queries to easily find and prevent new security issues.
Semmle can be activated in all public repositories. If the code scanning feature is activated, as the code is created, the system will scan it and highlight areas that could be exploited in the future. The hope is that by catching bugs early, the number of security incidents facing the global industry can be reduced.
The code scanning feature checks every pull request and every commit for known security holes. The function is intended to help prevent these gaps from entering production. If weak points are discovered, the feature requests the developers involved in the repo in so-called security reviews to revise their code accordingly — until the Semmle does not find any further weak points.
You can configure the code scanning function via the security tab of each of your public repositories. You can read more, in-depth details and user reports in the official blog post for the release on the GitHub blog.