GitHub Introduces Simple Way to Detect Vulnerabilities in Your Code

GitHub rolled out a new code-scanning feature to help developers hosting projects on its platform detect vulnerabilities in their repositories.

Once enabled, the new feature, dubbed “default setup,” automatically scans projects in the repository and gives developers valuable insights, GitHub said.

The feature’s convenience stems from its simplicity: developers can enable default setup in just a few clicks without providing a YAML file.

Default setup is built upon the CodeQL analysis engine, which supports an extensive range of languages and frameworks. However, currently, the new feature only boasts support for JavaScript, Python and Ruby repositories.

“We are working hard to make this experience available for all languages supported by the CodeQL analysis engine,” reads GitHub’s announcement. “We will continue rolling out support for new languages based on popularity and build complexity over the next six months.”

Users who want to test the feature can find it by accessing their repositories’ Settings tab, then navigating to the Code security and analysis menu from the Security section.

At the bottom of the menu, you can now find a code-scanning setup toolbox, which harbors the CodeQL analysis menu. Clicking Set up will prompt you with two options:

• Default – sets code-scanning automatically without requiring a YAML file
• Advanced – lets you customize code-scanning parameters but requires a YAML file

It’s worth mentioning that not all repositories may support the Default code scanning feature, in which case it will be grayed out.

Running an automated code scan on Default will prompt you with an overview of the configuration attuned to your repository’s content. The feature will automatically detect languages and display a list of query packs run in the analysis and events that will trigger scans. According to GitHub’s announcement, users will eventually be able to customize these options.

To finish setting up automatic code scanning on your repository, click the Enable CodeQL button.

Default setup is just one of the steps GitHub has recently taken to offer better security to its users. Last month, the Microsoft-owned company rolled out secret scanning for all public repositories and announced mandatory 2FA throughout the platform.