GitHub Adds Automatic Scanning for Security Vulnerabilities
October 1, 2020
GitHub, the largest host of source code in the world, has added a new feature that most of us will probably never use but could make the world wide web a safer place for everyone.
Last year, GitHub’s owner Microsoft purchased Semmle, makers of a semantic code analysis engine that’s been used to hunt down security vulnerabilities in the code of big organizations like Uber, NASA, and Google. After a few months of beta testing it in the wild, GitHub announced on Wednesday that the code-scanning tech is being deployed on its network free to use for developers working on public repositories.
The code scanner is relatively simple in function. GitHub and its community have already added 2,000+ queries to automatically scan code in real-time and notify a developer that they’ve missed a known security hole before an individual’s contributions are merged with a broader project. And as developers find new vulnerabilities, they can add additional queries, streamlining the process of disseminating new information to beleaguered code monkeys.
Assuming it works well and developers use it, the tool could save small teams a lot of headaches searching for common vulnerabilities themselves or having to take on the expense of an independent researcher’s review before publishing. In its announcement, GitHub cited industry research that found only about 30 percent of known vulnerabilities are found in a project’s code within the first month of it being live. In contrast, GitHub said that beta users running the code scanning option fixed 72% security errors before merging in the last 30 days.
What’s in it for Microsoft? For starters, enterprise users will have to pay to use the security feature. But more importantly, a safer web is a welcome thing for Microsoft’s beleaguered Windows security team. And that’s good for us all.