GitHub Rolls Out New AI-Powered Code Scanning Security Alerts

GitHub Rolls Out New AI-Powered Code Scanning Security Alerts

GitHub is getting new AI-powered code scanning analysis capabilities that should enable developers to identify the most common security flaws in their code. The company has launched this new experimental security feature in public beta for all GitHub users, and it supports JavaScript and TypeScript repositories.

With this new code scanning analysis tool, developers can now scan projects written in both languages to look for common vulnerability patterns, including path injection, SQL injection, NoSQL injection, cross-site scripting (XSS). Typically, the threat actors abuse these security vulnerabilities to run malicious programs on targeted machines.

“Together, these four vulnerability types account for many of the recent vulnerabilities (CVEs) in the JavaScript/TypeScript ecosystem, and improving code scanning’s ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code,” GitHub noted in a blog post.

GitHub users can view the new security alerts with an ‘Experimental’ label via the ‘Security’ tab of each repository. There is also an option to monitor these alerts through the pull requests tab.

GitHub Rolls Out New AI-Powered Code Scanning Security Alerts

GitHub’s new code scanning feature works on top of CodeQL

Under the hood, code-scanning functionality in GitHub runs on top of CodeQL, a code analysis engine launched in 2019 to detect multiple variants of the same security threat across codebases. “To detect vulnerabilities in a repository, the CodeQL engine first builds a database that encodes a special relational representation of the code. On that database we can then execute a series of CodeQL queries, each of which is designed to find a particular type of security problem,” explained Tiferet Gazit, Senior Machine Learning Engineer at GitHub.

The new code scanning analysis capabilities are currently available in preview for all developers using the security-extended and security-and-quality query suites. If you haven’t done it yet, you can follow this step-by-step guide to configure the code analysis feature for JavaScript/TypeScript projects.

Keep in mind that the experimental analysis tool is still a work in progress, and GitHub users may notice a higher false-positive detections rate. However, Microsoft noted that the accuracy of its machine learning models is expected to improve over time.