GitHub has made its CodeQL code scanning service generally available. Based on semantic code analysis technology acquired from Semmle, CodeQL now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases.
CodeQL is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. CodeQL integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.