GitHub's open-source CodeQL tool looks for security holes in real-time

On Thursday, GitHub announced that after extensive testing, it launched a native code scanner that can detect security flaws in posted programs or code as it is being entered. The tool is powered by CodeQL—an open-source semantic code analyzer.

The scanner can work in real-time as code is entered, so flaws never get to the software's final production version. Alternatively, completed code can be tested within public repositories. GitHub and others in the community have created more than 2,000 queries to find patterns in code blocks that identify common security vulnerabilities. Users can also create custom queries as the need arises.

The software entered beta in May and has since seen significant results. GitHub scanned more than 12,000 repositories 1.4 million times and found around 20,000 security flaws. Some of the issues it uncovered included remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities. Developers have already fixed 72% of the reported errors within 30 days.

"We're proud to see this impact, given industry data shows that less than 30% of all flaws are fixed one month after discovery," GitHub said in its blog.

Community members have also expanded the CodeQL query set by 132 contributions since the tool entered beta.

Code scanning is found in GitHub Actions, but can also be integrated into existing CI/CD solutions. It is free for users with public repositories. Private collections require GitHub Enterprise.