- Регистрация
- 09.02.2010
- Сообщения
- 270
- Реакции
- 41
- Баллы
- 28
- Native language | Родной язык
- English
Over the last year, GitHub has brought a number of enhancements to
Have you tried scanning your Ruby codebases? We announced the
You can also test your mobile applications with the
Kotlin marks our first investment in mobile application security, and beta support for Swift will be coming later this year.
That isn’t to say you can only take advantage of testing for new languages. We’ve also made improvements to our current language support, including:
All of this means that you can scan even more of the languages you use every day, to ensure your applications ship securely.
Code scanning uses CodeQL queries to detect security vulnerabilities. The use of queries might sound complex, but we make it easy by providing out-of-the-box queries, written and curated by GitHub researchers and community security researchers, covering everything from the most critical to common vulnerabilities. We also give developers the ability to write custom queries in order to check for specific bugs or vulnerabilities that may have caused them problems in the past.
We’ve added a number of new queries to help you easily take advantage of CodeQL’s analysis capabilities. CodeQL now ships with 318 default security queries, an increase of 27% from last year, with the option to enable up to 432 with the extended query pack.
Together with Dependabot alerts, these queries cover all applicable OWASP categories, 100% of SANS CWE Top 25, and 100% of WASC’s applicable categories. This not only means that security teams can be confident that CodeQL is detecting the most critical vulnerabilities, but that developers can review them right in the pull request.
For a full list of CWE-based coverage, please see our
Finally, we’ve made a number of improvements to the experience of using CodeQL. We added
For security researchers,
The GitHub community has also been a key factor in the success of CodeQL, with users sharing resources and knowledge, and contributing to the development of the platform. For instance, the GitHub community was instrumental in helping add new out-of-the-box queries to analyze your codebase for security risk this year.
These new features and integrations have made it easier for developers to build secure code from the beginning, and for security researchers to catch vulnerabilities before they become a problem.
If you’re looking to get started with CodeQL and code scanning on your repository, you can easily enable it with our new
We’re always looking for ways to improve the products, so drop your comments
You do not have permission to view link please Вход or Регистрация
, the semantic analysis engine that powers code scanning. You can now scan new languages, detect new types of CWEs, perform deeper analyses of your applications, and enjoy improvements to the user experience. Let’s check out some of these major enhancements to CodeQL and learn how you can take advantage of them in your environment.Test new ecosystems
Have you tried scanning your Ruby codebases? We announced the
You do not have permission to view link please Вход or Регистрация
for CodeQL at GitHub Universe 2022. We’ve made a number of improvements since our beta, including doubling the number of default queries, providing coverage for all Ruby-related OWASP categories out-of-the-box, and optimizing performance to deliver tests in less than five minutes for 90% of beta users. To date, users scanning their Ruby codebases have fixed over 4,000 alerts, and on an average day we run almost 5,000 Ruby analyses.- Matt McQuillan / Director of Engineering Services / Hashicorp
You can also test your mobile applications with the
You do not have permission to view link please Вход or Регистрация
for CodeQL! CodeQL now natively supports Kotlin and mixed Java and Kotlin projects. Kotlin support is an extension of our existing Java support, and benefits from all of our existing CodeQL queries for Java, for both mobile and server-side applications.Kotlin marks our first investment in mobile application security, and beta support for Swift will be coming later this year.
That isn’t to say you can only take advantage of testing for new languages. We’ve also made improvements to our current language support, including:
- Full support for Java 19
- Full support for Go 1.19
- Build support for C#11
- Full support for Python 3.11
All of this means that you can scan even more of the languages you use every day, to ensure your applications ship securely.
Perform deeper analysis of your code
Code scanning uses CodeQL queries to detect security vulnerabilities. The use of queries might sound complex, but we make it easy by providing out-of-the-box queries, written and curated by GitHub researchers and community security researchers, covering everything from the most critical to common vulnerabilities. We also give developers the ability to write custom queries in order to check for specific bugs or vulnerabilities that may have caused them problems in the past.
We’ve added a number of new queries to help you easily take advantage of CodeQL’s analysis capabilities. CodeQL now ships with 318 default security queries, an increase of 27% from last year, with the option to enable up to 432 with the extended query pack.
Together with Dependabot alerts, these queries cover all applicable OWASP categories, 100% of SANS CWE Top 25, and 100% of WASC’s applicable categories. This not only means that security teams can be confident that CodeQL is detecting the most critical vulnerabilities, but that developers can review them right in the pull request.
For a full list of CWE-based coverage, please see our
You do not have permission to view link please Вход or Регистрация
. You can also check out our
You do not have permission to view link please Вход or Регистрация
, which contains all updates to libraries and frameworks, along with links to the queries changelog for each language.Seamlessly use CodeQL
Finally, we’ve made a number of improvements to the experience of using CodeQL. We added
You do not have permission to view link please Вход or Регистрация
to code scanning, allowing you to leverage CodeQL packs in GitHub.com and GitHub Enterprise. We also launched the ability to
You do not have permission to view link please Вход or Регистрация
. This gives you the flexibility to filter out particular checks that may not be relevant for your code base, allowing you to see more precise results for what security checks are most relevant. We’ve even improved the
You do not have permission to view link please Вход or Регистрация
, without compromising our best-in-class precision and low false-positive rate.For security researchers,
You do not have permission to view link please Вход or Регистрация
for some of the most popular open source projects. These databases are easily obtainable through the CodeQL extension for VS Code to streamline writing and running CodeQL custom queries whilst performing security research.The GitHub community has also been a key factor in the success of CodeQL, with users sharing resources and knowledge, and contributing to the development of the platform. For instance, the GitHub community was instrumental in helping add new out-of-the-box queries to analyze your codebase for security risk this year.
These new features and integrations have made it easier for developers to build secure code from the beginning, and for security researchers to catch vulnerabilities before they become a problem.
Get started with CodeQL
If you’re looking to get started with CodeQL and code scanning on your repository, you can easily enable it with our new
You do not have permission to view link please Вход or Регистрация
. As always, CodeQL is free to use on open source repositories. If you’re looking to leverage CodeQL on private repositories, you can add on GitHub Advanced Security to your GitHub Enterprise subscription.
You do not have permission to view link please Вход or Регистрация
to learn more.We’re always looking for ways to improve the products, so drop your comments
You do not have permission to view link please Вход or Регистрация
to help us improve CodeQL for you and the community.
