GitHub launched new features to scan codes to find the most common types of vulnerabilities. Code scanning, an experimental feature, uses a new deep learning model and is currently available in public beta for JavaScript and TypeScript repositories. The new feature can detect alerts for four common vulnerability patterns: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection, which account for many of the recent vulnerabilities in the ecosystem.
CodeQL analysis engine
GitHub’s new solution focuses on detecting cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection
GitHub’s feature is powered by the CodeQL analysis engine. CodeQL can be enabled to run queries against the codebase. These queries are created by community members and GitHub security experts. Queries are also crafted carefully to recognize particular vulnerability types as possible and provide broad Common Weakness Enumeration coverage. The team is also updating the queries continuously.
GitHub is using examples to train deep learning models, allowing their new solution to recognize open-source libraries and in-house developed closed-source libraries. GitHub also warned users about false positives while it is being improved and tested their machine learning models. GitHub expects to get better results over time, similar to most machine learning models.