GitHub is getting a new tool that scans code based on machine learning to stop vulnerabilities before they enter a production environment.
GitHub is launching a new security tool. From now on, the hosting site will scan code for vulnerabilities via machine learning. The additional security analysis is available in beta for repositories running JavaScript and TypeScript. Among other things, the tool can detect XXS, path injecton SQL and NoSQL injection. Such types of vulnerabilities are common in new CVEs.
By detecting the problems in the code on GitHub, developers basically get an alert before it goes into production. The new functionality extends existing code-scanning within GitHub. The platform launched the CodeQL analysis engine in general availability in September 2020.
Experimental
The new machine learning functionality is not yet generally available. To take advantage of it, you need to check the appropriate settings under the Security settings of your repository. Github explains the way it works in detail. Results of the experimental functionality are clearly separated from other warnings of the scanning tool. They are labeled “Expermimental. Chances are that the solution in beta still produces relatively many false positive results.
GitHub Code scanning is free for public repositories and is also part of the HitHub Advanced Security functionality within GitHub Enterprise at private repositories.