GitHub is officially launching a new code-scanning tool today, designed to help developers identify vulnerabilities in their code before it’s deployed to the public.
The new feature is the result of an acquisition last year when GitHub snapped up San Francisco-based code analysis platform Semmle; the Microsoft-owned code-hosting platform revealed at the time that it would make Semmle’s CodeQL analysis engine available natively across all open source and enterprise repositories. After several months in beta, code scanning is now rolling out to all developers.
It’s estimated that some 60% of security breaches involve unpatched vulnerabilities. Moreover, 99% of all software projects are believed to contain at least one open source component, meaning that dodgy code can have a significant knock-on impact for many companies.
Typically, fixing vulnerabilities requires a researcher to first find the vulnerability and disclose it to the repository maintainer, who fixes the issue and alerts the