iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Breaking news and updates daily. Subscribe to our Newsletter
GitHub has long allowed users to scan their code for vulnerabilities by using a .yaml file, but the code repository is now introducing a new default set-up mode for scanning that does away with needing an extra document.
The default set-up will scan code written in JavaScript, Ruby, and Python, with plans to rollout support for all nine code families currently supported by GitHub within the next six months. The pace of the rollout will be based on which languages are most popular.
To get the scanning set-up, users need to navigate to the “Security” setting under the “Settings” tab, and then scroll down to “‘Code security and analysis”.
This will bring up the new code scanning set-up toolbox. Clicking the “Set up” button will give users two options — “Default” sets up automatic scanning without a .yaml file, while “Advanced” lets you customise code scanning with a distinct .yaml file.
The default set-up currently tailors its configuration based on the code it is scanning, including what queries will be run and how they’ll trigger. GitHub’s planning to make this process more customisable in the future.
Users can then click “Enable CodeQL” and scanning will automatically commence.
If the repository you’re trying to set-up doesn’t support the new default set-up, the option will not be selectable.
“Enabling default set-up is the quickest way to set up code scanning for your repository,” GitHub says in the full documentation for the new feature. “Additionally, default set-up requires none of the maintenance necessary with a CodeQL workflow file. Before you enable default set-up, you'll see the languages it will analyse, the query suites it will run, and the events that will trigger a new scan.”
It will be a supreme irony if the various threat actors who also make use of GitHub to host their own malicious code will themselves take advantage of this feature.
We guess we’ll never know.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
