GitHub enhanced its platform today with the launch of a capability called GitHub code scanning that can automatically find security issues in developers’ software projects.

The addition will not only make GitHub’s feature set more competitive but potentially also improve the security of the open-source ecosystem as a whole. The Microsoft Corp.-owned code hosting platform is home to much of the world’s open-source code, including leading projects such as Kubernetes. 

The new GitHub code scanning feature is based on a tool called CodeQL that GitHub obtained last year through a startup acquisition. CodeQL allows developers to create an abstract description of a security problem and then scan their software projects for code that fits the description. It carries out the scanning with no human input, which provides the ability to analyze large code bases much faster than using manual approaches.

Developers have access to 2,000 pre-packaged CodeQL scan templates. Bugs that are detected in a project are displayed inside the GitHub interface so developers can see if their code is susceptible to attack before publishing it. There are also integrations with several development automation products tools that, according to the Microsoft unit, will allow companies to prevent vulnerable code from being added to internal software repositories.

GitHub is planning to expand the initial feature set over time. GitHub product manager Justin Hutchings detailed today that developers will receive the ability to expand the default selection of CodeQL scan templates by creating their own custom queries. Additionally, the Microsoft unit is readying integrations with complementary vulnerability scanning products from other companies to help users detect a broader range of security issues.

GitHub is already seeing improvements in code security on its platform. As part of a beta program that preceded today’s launch, GitHub helped developers find 20,000 bugs in 12,00 code repositories.

GitHub code scanning is free for public, that is open-source, code repositories and is also available as part of GitHub’s paid Enterprise version. The latter offering allows companies to use the feature to find security issues in their internal software projects.

That the feature is free for public repositories could go a long way toward encouraging adoption among open-source software maintainers. Besides reducing the attack surface of open-source projects, GitHub code scanning could also reduce the amount of time it takes to fix exploits after they’re discovered. GitHub found during the beta program that participants fixed 72% of reported bugs within 30 days.

That’s potentially a major benefit in and of itself because the sooner a vulnerability is patched, the less time hackers have to exploit it. The result is better security for the applications that use the open-source component in which the vulnerability was found.

Photo: GitHub