Security flaws unearthed by the new experimental code analysis functionalities will appear as alerts in enrolled repositories’ “Security” tab. These new notifications will be labeled “Experimental” and accessible through the pull requests tab. After GitHub bought code-analysis platform Semmle in September 2019, the CodeQL code analysis engine, which drives GitHub’s code scanning, was added to the platform’s capabilities. In May 2020, GitHub launched the first code scanning beta on GitHub Satellite, and four months later, in September 2020, it became generally available.
During beta testing, the code scanning function scanned over 12,000 repositories 1.4 million times and discovered over 20,000 security weaknesses, including RCE, SQL injection, and cross-site scripting (XSS) bugs. GitHub Code scanning is free for public repositories, while for GitHub Enterprise private repositories, it is accessible as a GitHub Advanced Security service.