GitHub Launched today for all Advanced Security (GHAS) licensees, the new "CodeScan" feature (in preview) to search GitHub code for potentialSecurity Vulnerabilitiesand coding errors.
This new feature uses Copilot and CodeQL, a code analysis engine developed by GitHub to automate security checks, to find possible vulnerabilities or bugs in your code, categorize them, and prioritize fixes. It's worth noting that Code Scan consumes GitHub Actions minutes.
Code Scan is also described as preventing developers from introducing new issues, and supports scanning at specific dates and times, or triggering a scan when a specific event occurs in the repository (e.g., a push).
If the AI finds a possible vulnerability or bug in your code, GitHub alerts the repository and cancels the alert after the user fixes the code that triggered it.
To monitor your repository or organization's Code Scanning results, you can use web hooks and the code scanning API, and Code Scanning can also interoperate with third-party code scanning tools that output Static Analysis Result Interchange Format (SARIF) data. Code Scan can also interoperate with third-party code scanning tools that output static analysis result interchange format (SARIF) data.
Currently, there are three main approaches to CodeQL analysis for Code Scanning:
-
Quickly configure CodeQL analysis for Code Scan on the repository using the default settings. The default settings automatically select the language to analyze, the query suite to run, and the event that triggers the scan, or you can manually select the query suite to run and the language to analyze if desired. When CodeQL is enabled, GitHub Actions performs a workflow run to scan code.
-
Add a CodeQL workflow to the repository using the advanced settings. This will generate a customizable workflow file that runs the CodeQL CLI using github / codeql-action.
-
Run the CodeQL CLI directly on an external CI system and upload the results to GitHub.
GitHub promises that this AI system can fix more than two-thirds of the vulnerabilities it discovers, so there's generally no need for developers to actively edit code. The company also promises that the code scanning auto-remediation will cover more than 90% alert types in its supported languages, which currently include JavaScript, Typescript, Java, and Python.