To aid developers in the quest to identify security flaws, the code hosting website GitHub has made it simple for developers to scan the contents of their repositories for security vulnerabilities.
Many people who follow cybersecurity news are aware that security researchers and threat actors both frequently discover security holes, which forces developers to create and provide patches for these problems. While closing security gaps is a great idea, it is bad news when threat actors actively exploit previously unknown vulnerabilities. Threat actors can sometimes outwit security researchers, who try to uncover holes and alert developers to them before this can happen.
CodeQL, GitHub’s proprietary semantic code analysis engine, powers the platform’s premium Advanced Security feature set and is employed in this new security screening option. To date, developers who wished to scan their code for vulnerabilities using the CodeQL analysis engine had to create their own. The engine was instructed by YAML files to search each repository at predetermined intervals. Thanks to the new “default configuration” option, developers now have the choice to activate CodeQL scanning for public repositories without requiring manual setup or a subscription.
Repository administrators can access a new feature on each repository’s “Settings” tab. Under “Security,” there is a page with options for “Code scanning” and “Code security and analysis.” Users are presented with the opportunity to select between “Default” and “Advanced” when they click the “Set up” button next to the “CodeQL analysis” option. The latter configuration option allows developers to manually configure CodeQL scanning by utilising a customised one. They can skip this step by choosing “Default,” though. The query suites that will be used for the analysis, the programming languages that CodeQL finds in the repository, and the events that will start a new scan are all shown in the default setup prompt after being selected.
On the “Settings” tab of each repository, repository administrators can access a new functionality. There is a page with the options “Code scanning” and “Code security and analysis” under “Security.” Clicking the “Set up” button next to the “CodeQL analysis” option gives users the ability to choose between “Default” and “Advanced.” By using a customised one, the latter configuration option enables developers to manually configure CodeQL scanning. By selecting “Default,” they can skip this stage. When the default setup prompt is chosen, the analysis’s query suites, the programming languages that CodeQL discovers in the repository, and the events that will launch a new scan are all displayed.
No matter how CodeQL scanning is configured, as soon as it is active, it will work in the background to detect security flaws and notify developers of them. Then, developers can take the necessary steps to address any vulnerabilities discovered, ideally before threat actors are able to attack them.
While GitHub is in a position to have a substantial impact on how the open-source community addresses security, Chris Wysopal, chief technology officer of the software auditing firm Veracode, points out that GitHub’s accomplishments do not relieve the rest of the industry from responsibilities.
Wysopal asserts that since GitHub is already open, no action is required on the part of GitHub to alter the open-source environment. There is nothing stopping a third party from scanning every GitHub repository for vulnerabilities and alerting the project maintainers to any findings.
To do that would be pretty expensive. According to GitHub, it costs millions of dollars to provide the free vulnerability screening and analysis tools in Advanced Security. However, the company is optimistic that their investment will show why open source security should be prioritised.