Code hosting platform GitHub today launched new machine learning-based code scanning analysis features that will automatically discover more common security vulnerabilities before they end up in production.
“With the new analysis capabilities, code scanning can surface even more alerts for four common vulnerability patterns: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection,” said GitHub’s Tiferet Gazit and Alona Hlobina.
Security vulnerabilities discovered by the new experimental code analysis features will show up as alerts in the ‘Security’ tab of enrolled repositories.
These new alerts are marked using an ‘Experimental’ label and will also be available via the pull requests tab.
The CodeQL code analysis engine, which powers GitHub’s code scanning, was added to the platform’s capabilities after GitHub acquired code-analysis platform Semmle in September 2019.
During beta testing, the code scanning feature was used to scan more than 12,000 repositories 1.4 million times and found over 20,000 security issues, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) flaws.
GitHub Code scanning is free for public repositories and is available as a GitHub Advanced Security feature for GitHub Enterprise private repositories.
“It’s important to note that while we continue to improve and test our machine learning models, this new experimental analysis can have a higher false-positive rate relative to results from our standard CodeQL analysis,” Gazit and Hlobina added.
“As with most machine learning models, the results will improve over time.”
Source: Bleeping Computer