Code hosting site GitHub has introduced a new way for developers to scan their repositories for security vulnerabilities, without the need for manual setup. The feature is part of GitHub’s premium Advanced Security option and is powered by CodeQL, GitHub’s own semantic code analysis engine.
Previously, developers had to build their own YAML files to tell the engine when to search each repository, but now they can activate CodeQL scanning for public repositories with a new “default configuration” option.
Users can access the option via the “Settings” tab of each repository, under the “Security” title. They can choose between “Default” and “Advanced” configuration options, with the former using preset settings for programming languages, query suites, and events that will launch a new scan.
Once CodeQL scanning is enabled, it will operate in the background to find security holes and alert developers, who can then take action to fix any vulnerabilities found.
However, Chris Wysopal, chief technology officer of software auditing company Veracode, said that while GitHub’s advancements are important, they don’t absolve the rest of the sector from responsibility.
He added that it would be expensive for third parties to search through all GitHub repositories for vulnerabilities, but GitHub’s investment in providing free vulnerability screening and analysis tools could demonstrate the benefits of giving security to open source priority.