GitHub releases an easy way for developers to scan for vulnerabilities without any manual setup

Security researchers and threat actors both routinely find security flaws, which prompts developers to produce and issue patches for these flaws, as many who follow cybersecurity news are aware. Fixing security holes is a wonderful thing, but when threat actors aggressively take advantage of previously undiscovered vulnerabilities, that's terrible news. Security researchers work to find flaws and notify developers of them before this can happen, but they don't always outwit threat actors. The code hosting site GitHub has made it simple for developers to scan the contents of their repositories for security vulnerabilities to assist developers in the race to find security issues.

The platform's premium Advanced Security feature set is powered by CodeQL, GitHub's own semantic code analysis engine, which is used in this new security screening option. To date, developers who wanted to use the CodeQL analysis engine to scan their code for vulnerabilities had to build unique ones. YAML files that told the engine to search each repository at certain intervals. Developers now have the option to activate CodeQL scanning for public repositories without the need for manual setup or a subscription thanks to the new "default configuration" option.

The "Settings" tab of each repository has a new option that repository administrators can access. A "Code security and analysis" page with "Code scanning" choices may be found under the "Security" title. The "Set up" button that is located next to the "CodeQL analysis" option asks users to choose between "Default" and "Advanced." Developers can manually configure CodeQL scanning using the latter configuration option by using a customized one.YAML file, but they can forego this step by selecting "Default." The programming languages that CodeQL discovers in the repository, the query suites that will be used in the analysis, and the events that will launch a new scan are all displayed in the default setup prompt after being chosen. The next step is to if these conditions appear appropriate lick "Enable CodeQL."

Users will eventually be able to adjust the query suites and events, but for the time being, the default setup will employ a set of preset settings, according to GitHub. Additionally, the default setup mandates that repositories only include JavaScript/TypeScript, Python, and Ruby. A higher number of languages are supported by the CodeQL analysis engine, but GitHub is still working to make them available for the default configuration option. For the time being, developers will have to continue with the advanced settings option if they wish to conduct scans on repositories that contain additional languages.

Regardless of how CodeQL scanning is set up, once enabled it will operate in the background to find security holes and alert developers to them. Developers can then take appropriate action to fix any vulnerabilities found, preferably before threat actors manage to exploit them.

Chris Wysopal, chief technology officer of the software auditing company Veracode, notes that while GitHub is in a position to significantly influence how the open-source community approaches security, the advancements GitHub is making don't absolve the rest of the sector from responsibility.

It's not necessary for GitHub to take any action to change the open-source ecosystem, according to Wysopal, because GitHub is naturally open. Nothing prevents a third party from searching through all of the GitHub repositories for vulnerabilities and notifying the project maintainers of any discoveries.

It would be quite expensive to do that. The cost of providing the free vulnerability screening and analysis tools in Advanced Security, according to GitHub, is in the millions of dollars. But the corporation believes that its investment may demonstrate the benefits of giving security to open source priority.