Automated scanning service leans on CodeQL to identify vulnerabilities behind the scenes
GitHub announced a raft of new features at its virtual GitHub Satellite event on Wednesday (May 7), including a cloud-based code editor called Codespaces and a set of automated code-scanning security tools.
Codespaces runs in the browser, backed by a containerized development environment hosted in the cloud, in a very similar manner to Microsoft’s newly-renamed Visual Studio Codespaces – hardly surprising given that GitHub is now Microsoft-owned.
“Instead of spending all your precious time setting up dev environments and trying to get them to work across all the projects you’re working on, you can get started as a developer on a project with just one click,” explained GitHub’s CEO, Nat Friedman, in his keynote.
“Best of all, Codespaces is powered by VSCode, and supports every VSCode extension out of the box.”
Launching for free in private beta today, Codespaces will eventually be offered with pay-as-you-go pricing, and will come in several configurations, allowing developers to add, for example, more CPUs, more RAM, or a GPU.
Meanwhile, there are two new cloud security features out in beta: code scanning – based on tools acquired along with Semmle last year – and secret scanning.
“GitHub code scanning will proactively scan your code and identify vulnerabilities directly in your code review workflow,” Friedman explained.
“It does this with the power of CodeQL, which is the world’s most advanced semantic analysis engine, together with CodeQL queries that have been written and shared by the entire security researcher and open source community.”
“Our aim is that for every CVE in open source that’s found that could be generalized, we create a CodeQL query that would cover that, so that instead of manually and artisanally finding and fixing bugs one by one, we can eradicate whole categories of vulnerabilities across software,” he said.
“Code scanning supports pluggable architecture, so if you want to use something other than CodeQL or use CodeQL and something else, you can plug in third-party static security tools, fuzzing tools, dynamic tools – whatever you want, and they can show up in the same user experience.”
Secret scanning, already available for public repositories, is now available for private repositories too, allowing them to be scanned for known exposed secrets that could lead to data breaches when online. More than 10 million potential secrets have already been identified.
GitHub CEO Nat Friedman announced the changes yesterday
At the GitHub Satellite event yesterday, the organization also revealed that it is planning to offer Rich Serverless Editing, meaning that there’s no need to consume cloud resources when running in the browser.
Also new is GitHub Discussions, a place for developers to discuss their work in a threaded format rather than, as tends to happen now, through pull requests. Suitable for Q&As and FAQs, said Friedman, it’s soon to open in beta for a number of public repositories.
“This is a place where you could have open-ended conversations,” says Friedman.
“Ask a question and get an answer, or maybe brainstorm about a new idea that might turn out to be a brilliant idea. Or just get recognition for the work you’re already doing to build a community or support the project – which may not be coding; not all of the productive work that drives communities forward is actually writing code.”
And coming soon is GitHub Private Instances, offering enterprise customers new security features including bring-your-own-key encryption, backup archiving, and tools to help organizations comply with local data sovereignty regulations.
Friedman stressed the community focus of GitHub, saying this was the only way to secure code at scale.
“We want a community-powered solution, and our view is basically that the open-source community is building and maintaining all the software,” he said. “Only the community really has the expertise and the scale to actually make it secure.”