GitHub: Now our built-in bug checker gets these third-party code-scanning tools

GitHub has released a host of third-party security tools for its just-launched code-scanning feature, which helps open-source projects nix security bugs before they hit production code. 

GitHub Code Scanning works on top of CodeQL (Query Language), a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle in September 2019. GitHub announced general availability of code scanning last week after a beta phase that’s run since May.   

GitHub has now introduced 10 new third-party code-scanning tools that are available with GitHub code scanning to allow developers to remove flaws before they’re committed to code. 

The ability to add third-party tools to the native GitHub code-scanning feature lets developers customize it for different teams in an organization. 

Extensibility is enabled via code scanning’s application protocol interface endpoint, which ingests the results of scans from third-party tools using the Static Analysis Results Interchange Format (SARIF).

GitHub sees it being valuable for organizations post-merger with teams running different code-scanning tools, as well as for extending coverage to mobile, Salesforce development or mainframe development. It also enables customized reporting and dashboards. 

The new third-party scanning tools include extensions for static analysis and developer security training. 

The current roster includes Checkmarx, Codacy, CodeScan, DefenseCode ThunderScan, Fortify on Demand, Muse, Secure Code Warrior, Synopsys Intelligent Security Scan, Veracode Static Analysis, and Xanitizer.   

Developers can begin using third-party scanning tools with GitHub Actions, a feature that allows users to automate development workflows, or a GitHub App based on an event, such as a pull request. 

GitHub then handles the rest of the task, ensuring there are no duplicates and that alerts are aggregated and associated with each tool that generates a report. 

“The results are formatted as SARIF and uploaded to the GitHub Security Alerts tab. Alerts are then aggregated per tool and GitHub is able to track and suppress duplicate alerts,” explains Jose Palafox of GitHub

“This allows developers to use their tool of choice for any of their projects on GitHub, all within the native GitHub experience.” 

The third-party scanners are available on GitHub’s marketplace

During the beta, GitHub says code scanning was used to perform more than 1.4 million scans on more than 12,000 repositories. It’s helped identify over 20,000 vulnerabilities.