Code Scanning in GitHub

Using GitHub Code Scanning to find vulnerabilities in your code

I got a call at IANS Research about GitHub security so I was reviewing some of the latest information on the topic and decided to set up GitHub Code Scanning. It’s a pretty cool feature that can help you find problems in your code. Whether or not this code scanning tool works for you depends on a few factors so you’ll have to test it out, but here’s how it works. It just takes a few steps to set it up.

Head over to your repo and click on settings.

Scroll down and click on Code security and analysis.

Under settings click on Code scanning. Click Set up.

I chose the Default option. If you want to explore the Advanced option you can write additional queries to find specific vulnerabilities you are seeking.

I set this up on the repository that contains the code I’m writing for my latest blog series on security metrics automation (and cloud governance):

GitHub - tradichel/SecurityMetricsAutomation

It takes a little while for the analysis to complete. After it does, head back to your GitHub repo and if any findings exist there will be a number next to the security link at the top of the repository. I had one. What?!

When I took a look at the finding, it was because I had printed out a password of a piece of test code — which I explicitly told you not to do in production code ever because the password should remain secret and not be exposed on the screen or in logs. Well, that’s an accurate finding!

In addition to what GitHub has to offer, you can integrate code scanning from Other tools. Click on the Explore workflows link.

Here you can choose and test out a number of different tools, such as DevSkim which I’ve used before and is free.

This is a pretty nice feature from GitHub and it’s very easy to set up.

GitHub Code Scanning uses GitHub actions so you’ll want to check the cost of that if you have a lot of repositories to scan.

About billing for GitHub Actions - GitHub Docs

Enjoy and Secure Your Code!

More on application security here:

Secure Code By Design

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

If you liked this story ~ use the links below to show your support. Thanks!

Support:
Clap for this story or refer others to follow me.
Follow on Medium: Teri Radichel
Sign up for Email List: Teri Radichel
Follow on Twitter: @teriradichel
Follow on Mastodon: @teriradichel@infosec.exchange
Follow on Post: @teriradichel
Like on Facebook: 2nd Sight Lab
Buy a Book: Teri Radichel on Amazon
Buy me a coffee: Teri Radichel
Request services via LinkedIn: Teri Radichel or through IANS Research

About:
Slideshare: Presentations by Teri Radichel 
Speakerdeck: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Company (Penetration Tests, Assessments, Training): 2nd Sight Lab

Cybersecurity for Executives in the Age of Cloud on Amazon

Cloud Security Training (virtual now available):

2nd Sight Lab Cloud Security Training

Is your cloud secure?

Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.

More by Teri Radichel:

Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts