DEV Community

Cover image for Thread - DevSecOps Automation on GitHub Thread - Part 1
Nishkarsh Raj
Nishkarsh Raj

Posted on

2 2

Thread - DevSecOps Automation on GitHub Thread - Part 1

Code Scanning

GitHub is working immensely to improve security issues in the open source repositories hosted on its platform, further evolving from its traditional Source Code Management approach to DevSecOps using its in-house Continuous Integration platform, GitHub Actions.

Securing Software, Together

With above motto in mind, GitHub has released its new feature called Code Scanning in Beta - releasing publicly soon after taking feedback from those who are using it in early access.

What is Code Scanning?

Code Scanning is an upcoming GitHub Native tool to find security vulnerabilities and coding errors in the repositories.

For any error/vulnerability found, GitHub creates an alert in the repository which can be removed only after the triggering cause has been fixed.

Code Scanning is automated using GitHub Actions and can be setup using time-driven triggers or event-driven triggers

The CodeQL Engine

Code Scanning uses CodeQL Engine for semantic code analysis.

QL is an object-oriented programming and query language that powers CodeQL.

CodeQL supports both compiled and interpreted languages including - C/C++, C#, Golang etc.

Third-Party Support

GitHub's Code Scanning is compatible with third-party tools given that they follow the open standard SARIF protocol (Static Analysis Results Interchange Format)

References / Further Readings

https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning

https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning

Adios

The posts are meant to spread awareness about the latest tips and tricks for upcoming and trending technologies in the software world.

If you like this work, please support me by following me on Dev, GitHub and Twitter. Cheers! ❤️

Heroku

Deliver your unique apps, your own way.

Heroku tackles the toil — patching and upgrading, 24/7 ops and security, build systems, failovers, and more. Stay focused on building great data-driven applications.

Learn More

Top comments (0)

Image of Stellar post

How a Hackathon Win Led to My Startup Getting Funded

In this episode, you'll see:

  • The hackathon wins that sparked the journey.
  • The moment José and Joseph decided to go all-in.
  • Building a working prototype on Stellar.
  • Using the PassKeys feature of Soroban.
  • Getting funded via the Stellar Community Fund.

Watch the video 🎥

👋 Kindness is contagious

Explore a trove of insights in this engaging article, celebrated within our welcoming DEV Community. Developers from every background are invited to join and enhance our shared wisdom.

A genuine "thank you" can truly uplift someone’s day. Feel free to express your gratitude in the comments below!

On DEV, our collective exchange of knowledge lightens the road ahead and strengthens our community bonds. Found something valuable here? A small thank you to the author can make a big difference.

Okay