CATEGORIES
home IT Infrastructure Security

How GitHub Is Making It Easier To Root Out Security Flaws In Your Open Source Code

by Nathan WassonTuesday, January 10, 2023, 02:48 PM EDT
hero github making easier root out security flaws open source code news
Those who follow cybersecurity news will know that both security researchers and threat actors alike are frequently discovering security vulnerabilities, prompting developers to create and release patches for these vulnerabilities. While fixing security flaws is a good thing, it’s bad news when such fixes are prompted by threat actors actively exploiting previously unknown vulnerabilities. Security researchers try to uncover vulnerabilities and report them to developers before this can happen, but researchers don’t always beat threat actors to the punch. In the hopes of aiding developers in the race to discover security vulnerabilities, the code hosting service GitHub has released an easy way for developers to scan the contents of their repositories for vulnerabilities.

This new security scanning option makes use of CodeQL, which is GitHub’s own semantic code analysis engine that powers the platform’s paid Advanced Security feature set. Up to this point, developers wanting to scan their code for vulnerabilities with the CodeQL analysis engine have had to create custom .yaml files that direct the engine to scan each repository at specified intervals. The new “default configuration” option for public repositories gives developers the choice to enable CodeQL scanning without any manual setup or subscription required.

github code scanning codeql default configuration news
CodeQL default configuration option (source: GitHub)

Repository maintainers can find this new option in the “Settings” tab of each repo. Under the “Security” heading is a “Code security and analysis” page that displays “Code scanning” options. Next to the “CodeQL analysis” option is a “Set up” button that prompts users to select “Default” or “Advanced.” The latter configuration options lets developers set up CodeQL scanning manually with a custom .yaml file, but developers can skip the manual setup process by choosing “Default” instead. Once selected, the default configuration prompt will display the programming languages CodeQL detects in the repository, as well as the query suites that will be run in the analysis and the events that will trigger a new scan. If these settings seem agreeable, the final step is to click “Enable CodeQL.”

According to GitHub, users will be able to customize the query suites and events in the future, but the default configuration will use a set of default options for the time being. The default configuration also currently requires that repositories contain only JavaScript/TypeScript, Python, and Ruby. The CodeQL analysis engine supports a larger list of languages, but GitHub is still working to enable them for the default configuration option. For now, developers wanting to run scans on repositories containing other languages will have to stick with the advanced configuration option.

Regardless of how CodeQL scanning is configured, it will work in the background once enabled to detect security vulnerabilities and notify developers of these flaws. Developers can then address detected vulnerabilities accordingly and hopefully before threat actors manage to exploit them.
Tags:  security, Open Source, vulnerability, vulnerabilities, cybersecurity, GitHub, code
NW

Nathan Wasson

Nathan grew up with computer hardware news and reviews in the family business and eventually joined the business himself in 2014. He initially joined to make video reviews and help with the podcast, but was soon asked if he would write, and he's been writing about computers ever since. More recently, Nathan has developed a passion for internet privacy, security, and decentralization and likes writing about those topics the most. He spends much of his free time tinkering with Linux distributions, custom Android ROMs, privacy and security tools, and self-hosting solutions. He also started gaming on a PC at a young age and still can't give up Unreal Tournament 2004 and Supreme Commander 2. Beyond computers, Nathan is a car enthusiast and philosophy nerd.

You can follow Nathan on Mastodon and Twitter.

Opinions and content posted by HotHardware contributors are their own.
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment