Microsoft-owned code hosting platform GitHub is now providing developers with the option to have their code repositories automatically scanned for vulnerabilities.
Available as a ‘default setup’ option, the new feature is meant to help code builders find and resolve vulnerabilities faster.
Available for JavaScript, Python, and Ruby repositories, it allows open source developers and enterprises to enable code scanning without the use of a .yaml file and will immediately provide them with insights into their code’s issues.
To enable the new option, GitHub users should head to the ‘Settings’ tab in their repositories and then navigate to ‘Code security and analysis’, under ‘Security’.
Developers will find two options: ‘Default’, which automatically sets up code scanning, and Advanced, which allows them to customize code scanning using a .yaml file. If default setup is not supported, the first option will be grayed out.
“When you click on ‘Default’, you’ll automatically see a tailored configuration summary based on the contents of the repository. This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable,” GitHub explains.
To enable automatic code scanning for their repositories, developers need to click ‘Enable CodeQL’ after reviewing the displayed configuration.
“We are working hard to make this experience available for all languages supported by the CodeQL analysis engine. We will continue rolling out support for new languages based on popularity and build complexity over the next six months,” GitHub announced.
Related: GitHub Announces Free Secret Scanning, Mandatory 2FA
Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories
Related: GitHub Improves npm Account Security as Incidents Rise