The experimental, machine learning-powered feature aims to identify security vulnerabilities using open source expertise
GitHub has released a new scanning tool for its platform that allows users to check their repositories for the most common threats targeting their codebase’s chosen development language.
Launched on Thursday as a free public beta for all users, the feature uses machine learning and deep learning to scan codebases and identify common security vulnerabilities before a product is shipped.
The tool is designed to scan for the four most common vulnerabilities affecting projects written in these two languages: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection.
Developers can scan their code using the platform’s machine learning-powered CodeQL engine, querying their code as if it were data.
The best defence against ransomware
How ransomware is evolving and how to defend against itFree download
Users can search for the best queries relating to the vulnerabilities they're trying to identify and run them against their own codebase for efficient security analysis.
“With the rapid evolution of the open source ecosystem, there is an ever-growing long tail of libraries that are less commonly used,” said Gazit and Hlobina. "We use examples surfaced by the manually-crafted CodeQL queries to train deep learning models to recognise such open source libraries, as well as in-house developed closed-source libraries.”
Due to the open source nature of the queries, they can be constantly updated with further refinements to catch more vulnerability variants with a single query, and recognise emerging libraries and frameworks.
Identifying emerging libraries is especially important, GitHub said, because it helps identify flows of untrusted user data, which are often the root cause of security issues.
GitHub said as the experimental feature is still in beta, users can expect a higher false-positive rate of detections compared to a standard CodeQL analysis, but this will improve over time.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download