Security Experts:

New GitHub Features Help Find Vulnerabilities and Secrets in Code

GitHub on Wednesday announced two new security features designed to help developers identify vulnerabilities and potential secrets in their code.

The company announced several new products at its Satellite virtual conference, including ones aimed at helping customers write and consume more secure code.

These new security features, code scanning and secret scanning, are currently in beta. GitHub says code scanning helps developers identify potential vulnerabilities in every “git push,” with results being displayed directly in their pull requests.GitHub unveils new security features

The code scanning feature leverages the CodeQL code analysis engine. CodeQL has been offered for free to open source projects as part of an initiative announced by GitHub last year, and the company says the new code scanning feature will be free as well for open source software.

As for secret scanning, the feature allows users to find potentially sensitive data in code, such as tokens, encryption keys and user credentials. The feature has been available for public repositories since 2018 and GitHub has been working with companies such as AWS, Microsoft, Google, Stripe, Twilio and npm to expand coverage. GitHub says secret scanning is now also available for private repositories.

“Code scanning and secret scanning are available for free for all public repositories, and available as part of GitHub Advanced Security,” GitHub said.

GitHub on Wednesday also unveiled Private Instances, an upcoming feature for enterprise customers.

“Private Instances provides enhanced security, compliance, and policy features including bring-your-own-key encryption, backup archiving, and compliance with regional data sovereignty requirements,” the company explained.

Related: GitHub Warns Users of Sophisticated Phishing Campaign

Related: GitHub to Warn Users on Compromised Passwords

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

Related: GitHub Increases Bug Bounty Program Rewards, Expands Scope

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.