GitHub has made its code scanning service generally available. Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub code scanning now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases. The service also supports analysis using third-party tools.
GitHub code scanning is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. The service integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.