GitHub now offers a way to automatically set up code scanning in a repository. This is called “default setup” and it allows developers to do this with just a few mouse clicks.
Walker Chabott, product marketing manager at GitHub, stated that GitHub will expand support for more languages in the coming six months.
You will need to navigate to the “Code security analysis” section of your repo settings. Click the “Setup” drop-down menu and select the default option.
Chabbott stated that clicking on “Default” will automatically show a customized configuration summary, based on repository contents.
This includes query packs, languages that have been detected, as well as events that trigger scans. These options can be customized in the future.
Once you click “Enable codeQL”, the scanner will instantly start scanning the repository for flaws. This can help you fix them and make your software more secure.
After the Semmle code-analysis tool was purchased in , the CodeQL engine for code analysis was included to the GitHub platform.
In May 2020, the first code scanning beta was launched at . Its announcement came four months later in September 2020.
During beta testing the feature was used over 12,000 times to scan 1.4 million repositories to detect more than 20,000 security flaws, such as SQL injection and remote code execution (RCE).
All public repositories can scan code for free. It’s also available in GitHub Advanced Security for private repositories.
Last month, GitHub introduced support for to all public repositories (such as credentials and auth tokens).