►
Description
Enabling GitHub Code Scanning is like inviting a team of security researchers to review your every pull request. By configuring Code Scanning with either CodeQL or one of our static code analysis partners you can make sure that all of your code is reviewed seamlessly for security vulnerabilities before going to production.
5:45 - demo - enable the feature
8:37 - demo - review scan results
GitHub Code Scanning goes GA
https://github.blog/2020-09-30-code-scanning-is-now-available/
Code Scanning partners
https://github.blog/2020-10-07-announcing-third-party-code-scanning-tools-infrastructure-as-code-and-container-scanning/
Code Scanning set up
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning
Learning CodeQL
https://securitylab.github.com/tools/codeql
Justin Hutchings:
GitHub - https://github.com/jhutchings1
Twitter - https://twitter.com/jhutchings0
Sasha Rosenbaum:
GitHub - https://github.com/DivineOps
Twitter - https://twitter.com/DivineOps
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
Google+: http://google.com/+github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
A
B
B
A
B
Sure
so
code
scanning
is
sort
of
as
a
platform
piece
for
github.
It's
how
we
integrate
static
analysis,
security,
testing
tools,
and
so
the
way
you
should
think
of
that
is
when
you
write
your
own
code,
there's
a
good
chance.
You'll
introduce
a
vulnerable
pattern.
These
things
happen
all
the
time
and
code
scanning
makes
it
really
easy
by
integrating
with
your
ci
system
and
integrating
with
your
github
repo,
to
show
you
any
places
where
you
might
have
made
mistakes
and
incorporated
any
sort
of
common
failures.
We
do
this.
B
That's
right:
yeah!
If
you
go
to
the
security
tab
on
any
public
repo
you'll
find
a
button
that
says
set
up
code
scanning
and
you'll
get
a
selection
of
options
from
us
and
our
marketplace.
Partners
that
do
code
scanning
analysis.
So
codeql
is
our
first
party
offering,
but
there's
also
a
whole
slew
of
options
from
partners
that
do
things
like
container
scanning
or
infrastructure,
as
code
scanning
or
even
scanning
other
languages
that
we
do
not.
A
B
B
They
spun
it
out
and
they
created
a
company
and
they
had
this
amazing
data
flow
analysis
system
and
it
turns
out
when
you
have
a
system
that
understands
how
data
flows
through
different
programs,
it's
extremely
powerful
for
security,
and
they
built
out
an
entire
programming
language
to
allow
you
to
go
and
specify
queries
to
go
and
look
for
certain
behaviors.
You
know
so,
if
you're
looking
for
data
that
comes
from
a
user
input
that
goes
straight
into
a
database
field,
you
know
that's
a
classic
sql
injection
vulnerability.
B
Those
could
be
hard
to
spot.
Sometimes,
if
you
don't
know
that
you
know
code,
you
know,
seven
classes
away
is
actually
making
its
way
all
the
way,
through
unchanged
into
your
sql
statement
right
here,
and
so
those
are
things
that
are
really
hard
to
spot,
but
they're
extremely
high
impact
in
terms
of
what
kind
of
security
vulnerabilities
they
can
cause.
A
And
so
I
do
know
that
basically,
ql
actually
only
highlights
things
when
they're
in
use.
So
if
I
just
you
know,
do
something
like
a
sql
query
that
takes
a
parameter,
but
it's
not
coming
from
the
outside
world.
That
is
fine
and
it's
not
going
to
get
flagged.
But
if
that
parameter
is
actually
somewhere
like
four
functions
up
the
chain
is
used
in
user
input.
Then
it's
going
to
flag
it.
So
do
we
see
that
it
kind
of
reduces
the
false
positive
on
positives
on
the
cytochord
analysis,
yeah.
B
That's
certainly
our
goal
is
to
make
sure
that
whatever
we
present,
you
is
as
real
as
it
can
be,
and
so
we
do
the
a
process
that
we
call
threat,
modeling
internally,
where
we
think
about
all
of
the
different
places
that
data
could
come
from
and
we
come
up
with
a
model
for
what
that
kind
of
data
is,
whether
that's
you
know
from
a
network
endpoint.
Did
it
come
from
an
https
source
or
an
unsecured
source?
B
A
So
that's
fantastic
and
it
kind
of
goes
very
much
with
the
github
approach
to
everything
right,
open
source.
It
have
community
contributions,
build
a
community
around
us
and
have
everybody
help
everybody
build
better
software.
So
we've
talked
about
the
feature
for
a
little
bit
and
I'm
really
excited
to
see
a
demo
of
how
it
actually
works.
B
B
This
is
a
template
that
I
have
that
has
some
vulnerabilities
in
it,
but
I
haven't
configured
code
scanning
on
it
before
and
so
I'm
going
to
pop
over
to
the
security
tab
and
you'll
see
I
have
a
setup
code
scanning
button
and
you'll
see
exactly
what
I
mentioned
before.
You
can
see
codeql
right
here
at
the
top,
as
well
as
a
bunch
of
products
from
marketplace
partners,
and
this
set
is
going
to
change
depending
on
the
languages
that
are
in
your
repo.
We
tailor
that
to
what's
actually
applicable
to
you.
B
B
Yeah
so
we'll
go
into
code
ql
and
we
actually
have
a
workflow
that's
set
up
already,
and
you
know
most
of
the
time
you
don't
need
to
make
changes
to
this
at
all.
We
detect
the
languages
you
use,
we
detect
your
default
branches
and
you
know
we
auto
build
most
projects
if
you're
using
like
a
you,
know
a
c
or
c
plus
project
and
you're,
using
an
exotic,
build
system,
and
you
don't
have
a
make
file.
There's
a
chance.
B
You'll
have
to
come
in
here
and
make
some
small
changes
where
you
swap
out
the
auto
build
and
you
you
know,
run
whatever
commands.
You
would
normally
run
to
build
it,
but
most
users.
You
know
this
just
works
for
in
this
case.
This
I
know,
will
work
just
right
off
the
bat
and
so
I'm
going
to
commit
it
directly
to
our
default
branch
here,
and
so,
when
you
do
this,
the
first
time,
what's
going
to
happen,
actions
will
pick
this
up.
B
B
Because
you
know
that's
just
the
what
you
do,
but
you're
gonna
get
a
whole
bunch
of
errors,
and
so
we
built
this
in.
So
you
don't
see
those
errors
the
maintainers
have
been
ignoring.
You
only
see
the
stuff
that
you
actually
introduced,
which
is
it
makes
it
much
easier
to
actually
get
the
things
fixed.
A
B
So,
while
we're
waiting,
you
know,
I
should
tell
you
what's
kind
of
going
on
here,
so
we
initialize
codeql,
which
is
really
just
about
getting
the
environment
prepared.
This
is
javascript,
so
there's
no
build
it's
a
you
know,
interpreted
language
and
then,
when
we
did,
this
perform
coql
analysis
step.
What
it
did
is
it
scanned
all
the
code
in
the
repo
it
built
out
a
graph
database
that
understands
all
the
code
paths
in
the
project
and
then
we
ran
64
standard
queries
against
this
repo
for
certain
bad
security.
B
Behaviors-
and
you
know
that's
fully
configurable,
you
can
add
more.
You
can
take
some
away,
but
you
know
that
set
is
what
we
think
of
as
the
most
severe
and
the
most
precise
security
vulnerabilities,
and
so
once
it
finished
the
analysis,
it
uploaded
a
file
in
a
format
called
serif.
It's
a
standard,
interchange
format
for
static
analysis,
results
that
went
to
the
cloud
and
we
processed
that
on
our
side,
and
so
I
can
pop
in
and
you
can
see
the
security
tab.
B
We've
got
four
alerts
here
and
we
can
go
and
have
a
look
at
what
these
are.
So
you
know
it
says
that
I'm
missing
some
rate
limiting
here,
oh
sure,
yeah.
So
this
route
handler
is
doing
database
access,
but
yeah
we
don't
have
any
kind
of
rate
limiting,
which
is
bad
because
it
could
cause
a
denial
of
service
to
your
your
back
end.
A
B
Exactly
exactly
and
if
you're
using
this,
you
know,
we
can
prevent
a
lot
of
the
cves
that
have
been
added
to
projects.
You
probably
use
like
we
scan
for
about
a
quarter
of
the
recent
cves
for
the
entire
javascript
ecosystem,
which
it
might
sound
small.
But
when
you,
when
you've,
seen
all
the
alerts
that
have
come
through,
it's
a
ton
of
vulnerabilities
that
you
can
prevent
ever
having
occur
in
your
code.
A
B
Yeah,
so
the
product
works
exactly
the
same
for
private
repos,
except
it's
a
paid
product
that
we
sell
for
for
github,
enterprise
customers,
and
so,
if
you're
doing
this
on
your
your
work
code,
definitely
have
whoever
purchases
or
manages
your
github
relationship
reach
out
to
the
sales
team.
And
we
can
definitely
hook
you
up
with
an
opportunity
to
try
it
out
against
your
private
code
and
see
if
it's
something
that
you
want
to
purchase.
A
B
Know
one
of
the
things
that
I
think
is
so
exciting
about
this.
You
know
I
mentioned
we
use
this
standard
called
serif
to
deal
with
our
our
interchange
between
the
the
tools
and
the
product,
and
this
gives
us
the
opportunity
to
bring
in
lots
and
lots
of
different
analysis
tools,
the
things
that
are
really
impactful
that
we've
seen
out.
There
are
tools
that
are
scanning
your
containers,
so
you
know
you
could
use
anchor
or
sneak
or
aquasec
trivia.
You
know
all
those
are
going
to
scan
your
docker
files.
B
Every
time
you
push
to
see
if
there
are
any
vulnerabilities
in
the
image
that
you're
running
your
code
in
we've
also
seen
some
really
great
compilations
of
open
source
tools,
so
codec
or
shift
left
or
bringing
together.
You
know
tools
that
analyze,
php
or
python,
or
you
know
a
number
of
other
languages
just
to
give
you
a
little
bit
more
defense
in
depth,
because
every
tool
is
going
to
focus
on
sort
of
a
different
opinion
about
what
security
is,
and
so
you
can
stack
these
sort
of
things
really
easily
to
get.
A
That
sounds
fantastic,
so
obviously
we're
gonna
chat
share
all
the
links
in
the
show
notes
for
where
you
can
sign
up
how
you
can
reach
out
to
us
about
the
future,
how
you
can
enable
it-
and
things
like
that,
and
thank
you
justin
for
bringing
this
to
our
customers
and
to
open
source
repos,
and
thank
you
for
being
here
with
me.
This
has
been
pretty
awesome.