IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub launches code scanning tool for JavaScript and TypeScript projects

The experimental, machine learning-powered feature aims to identify security vulnerabilities using open source expertise

GitHub has released a new scanning tool for its platform that allows users to check their repositories for the most common threats targeting their codebase’s chosen development language.

Launched on Thursday as a free public beta for all users, the feature uses machine learning and deep learning to scan codebases and identify common security vulnerabilities before a product is shipped.

The experimental feature is currently available to all users on the platform, including GitHub Enterprise users as a GitHub Advanced Security feature, and can be used for projects written in JavaScript or TypeScript.

The tool is designed to scan for the four most common vulnerabilities affecting projects written in these two languages: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection.

Such attacks can result in attackers running malicious code on victims’ machines, or taking over entire databases, leading to compromised or stolen sensitive data.

“Together, these four vulnerability types account for many of the recent vulnerabilities in the JavaScript/TypeScript ecosystem, and improving code scanning’s ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code,” said Tiferet Gazit, senior machine learning engineer, and Alona Hlobina, product manager, both at GitHub, in a blog post.

Developers can scan their code using the platform’s machine learning-powered CodeQL engine, querying their code as if it were data.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Open source queries are written by experts in the GitHub community and these are designed to recognise as many variants of a vulnerability type as possible in a single query.

Users can search for the best queries relating to the vulnerabilities they're trying to identify and run them against their own codebase for efficient security analysis.

“With the rapid evolution of the open source ecosystem, there is an ever-growing long tail of libraries that are less commonly used,” said Gazit and Hlobina. "We use examples surfaced by the manually-crafted CodeQL queries to train deep learning models to recognise such open source libraries, as well as in-house developed closed-source libraries.”

Due to the open source nature of the queries, they can be constantly updated with further refinements to catch more vulnerability variants with a single query, and recognise emerging libraries and frameworks.

Identifying emerging libraries is especially important, GitHub said, because it helps identify flows of untrusted user data, which are often the root cause of security issues.

GitHub said as the experimental feature is still in beta, users can expect a higher false-positive rate of detections compared to a standard CodeQL analysis, but this will improve over time.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections
software development

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections

1 Jun 2022
GitHub's latest security updates aim to protect projects in their earliest stages
Development

GitHub's latest security updates aim to protect projects in their earliest stages

7 Apr 2022
GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta
Development

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta

25 Feb 2022
GitHub goes open source on security research
Development

GitHub goes open source on security research

22 Feb 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022