GitHub launches code scanning scheme to hunt down vulnerabilities

GitHub Webpage
(Image credit: Gil C / Shutterstock)

Software hosting service provider GitHub has released a new experimental feature that aims to rid the code of some of the more common security vulnerabilities, as early in production, as possible. 

The new automatic scanner is powered by machine learning (ML), which will scan the incoming code, written in TypeScript and JavaScript, for four common vulnerabilities: cross-site scripting (XSS), path injection, NoSQL injection, and SQL Injection, reducing the chances for malware abuse. 

The feature is now in public beta for the two abovementioned programming languages. 

More secure code

The new experimental JavaScript and TypeScript analysis is rolled out to all users of code scanning’s security-extended and security-and-quality analysis suites, explained GitHub's Tiferet Gazit and Alona Hlobina.

"Together, these four vulnerability types account for many of the recent vulnerabilities (CVEs) in the JavaScript/TypeScript ecosystem, and improving code scanning's ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code,” the pair added.

If the submitted code has any of the abovementioned vulnerabilities, an alert will show up in the repository’s Security tab. These alerts will have an “Experimental” label, and will also be available via the pull requests tab.

Automating everything

Obviously, that doesn't mean developers should stop hunting for flaws, as many will probably still make it past the scanner, and end up being abused on vulnerable endpoints.

GitHub has been hard at work lately as it looks to automate as much work as possible for its users. Besides automating flaw detection, it added a feature that will pretty much write the code for you, as well as one to help developers search through their code easier.

The writing system, called GitHub Copilot, has been trained on billions of lines of code available in public repositories, including those on GitHub. Microsoft and GitHub developed Copilot together with OpenAI, an AI research startup that Microsoft has been investing in since 2019. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.