GitHub, a code hosting platform, recently announced new machine learning-based code scanning analysis tools to detect more widespread security issues before they reach production. These new experimental static analysis tools are now available in public beta for GitHub projects for JavaScript and TypeScript.
“With the new analysis capabilities, code scanning can surface even more alerts for four common vulnerability patterns: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection,” said GitHub’s Alona Hlobina and Tiferet Gazit. “Together, these four vulnerability types account for many of the recent vulnerabilities (CVEs) in the JavaScript/TypeScript ecosystem, and improving code scanning’s ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code.”
Security flaws unearthed by the new experimental code analysis functionalities will appear as alerts in enrolled repositories’ “Security” tab. These new notifications will be labeled “Experimental” and accessible through the pull requests tab. After GitHub bought code-analysis platform Semmle in September 2019, the CodeQL code analysis engine, which drives GitHub’s code scanning, was added to the platform’s capabilities. In May 2020, GitHub launched the first code scanning beta on GitHub Satellite, and four months later, in September 2020, it became generally available.
During beta testing, the code scanning function scanned over 12,000 repositories 1.4 million times and discovered over 20,000 security weaknesses, including RCE, SQL injection, and cross-site scripting (XSS) bugs. GitHub Code scanning is free for public repositories, while for GitHub Enterprise private repositories, it is accessible as a GitHub Advanced Security service.
You may use these instructions to set up code analysis for your JavaScript/TypeScript code. The new functionalities are available in the security-extended and security-and-quality analysis suites for code scanning.
