GitHub has made its CodeQL code scanning service generally available. Based on semantic code analysis technology acquired from Semmle, CodeQL now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases.
CodeQL is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. CodeQL integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.
Developers can leverage the more than 2,000 CodeQL queries created by GitHub and the community at large, or build custom queries to address new security concerns. CodeQL code scanning was built on the SARIF standard and is extensible, so developers can include open source and commercial static application security testing solutions within the same GitHub-native experience. Third-party scanning engines can be integrated to view results from all of a developer’s security tools via a single interface. Multiple scan results can be exported through a single API.
CodeQL scanning is free for public repositories. For private repositories, CodeQL is available for the fee-based GitHub Enterprise service through GitHub Advanced Security. Since the first beta of the service in May, GitHub said, CodeQL has scanned 12,000 repositories 1.4 million times and found more than 20,000 security issues including remote code execution, SQL injection, and cross-site scripting vulnerabilities.