GitHub Adds Features to Automate Vulnerability Code Scanning

Written by

Hosting service GitHub has added a new feature to automatically set up code scanning on repositories.

Called 'default setup,' the novel capability simplifies starting code scanning on repositories using Python, JavaScript and Ruby.

“You can now enable code scanning in just a few clicks and without using a .yaml file, helping open source developers and enterprises streamline code scanning setup so they can secure more of their software,” the company wrote in a blog post on Monday.

The new feature is already available in the 'Code security and analysis' section under the 'Security' heading in the 'Settings' tab of repositories.

“Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow,” wrote GitHub product marketer Walker Chabbott.

The company also clarified that manual scanning via a .yaml file is still possible but is now under an 'Advanced' option, which enables customized code scanning.

“If the repository doesn’t support default setup, the option will be grayed out,” Chabbott added.

By clicking on 'Default' on the other end, users will automatically see a tailored configuration summary based on the repository's contents.

“This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable,” Chabbott explained.

“After reviewing the configuration, you click ‘Enable CodeQL,’ and code scanning will automatically run on the repository. It’s that simple!”

According to GitHub, the new feature is part of the company’s efforts to build security tools that provide a frictionless experience for developers.

To this end, the company started offering the enablement of secret scanning and Dependabot in the second half of 2022.

In other GitHub security news, the firm started enforcing two-factor authentication (2FA) in May 2022 and, more recently, private vulnerability reporting.

What’s hot on Infosecurity Magazine?