advanced-security

Subscribe to all “advanced-security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

We’ve improved the depth of CodeQL's analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models for several languages (C++, JavaScript, Python, and Java). As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.

We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. The libraries and frameworks added and improved are listed below.

C/C++

JavaScript and TypeScript

Python

Java

Learn more about CodeQL and code scanning.

See more

We've shipped a couple of changes to our APIs:

  • The code scanning API now returns the CodeQL query version used for an analysis. This can be used to reproduce results or confirm that an analysis used the latest query.
  • Admin users can now use the REST API to enable or disable GitHub Advanced Security for repositories using the security_and_analysis object on repos/:org/:repo. In addition, admin users can check whether Advanced Security is currently enabled for a repository by using a GET /repos/{owner}/{repo} request. These changes help you manage Advanced Security repository access at scale. For more information, see the repos REST API documentation.
See more

Code scanning with CodeQL now generates diagnostic information for all supported languages.

Before analyzing your code, CodeQL first creates a CodeQL database containing all of the important information about your codebase. This database is then analyzed by executing CodeQL queries against it.

The new diagnostic information includes important information to help learn more about the CodeQL analysis.

Diagnostic information includes:

  • Lines of code in your codebase (as a baseline)
  • Lines of code in the CodeQL database extracted from your code
  • Lines of code in the CodeQL database excluding auto-generated files and external libraries
  • Number of files successfully analyzed
  • Number of files that generate extractor errors and warnings during database creation

You can see the detailed diagnostic information in GitHub CodeQL Actions Logs.

CodeQL Action Log

You also can view Lines of code in your codebase and Lines of code in the CodeQL database by going to the Security tab and selecting Code scanning alerts.

Code scanning CodeQL security tab

Diagnostic information queries are available in CodeQL CLI 2.5.6 and later. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

See more

The latest release of the CodeQL CLI supports creating CodeQL databases for multiple languages in a single command. This makes it easier for customers using CI/CD systems other than GitHub Actions to run code scanning analysis. Previously, these users had to use the separate CodeQL Runner. The Runner will continue to be available, but the recommended way to handle multiple languages in your codebase is to use the CodeQL CLI directly.

To use this new option:

  • Download the updated CodeQL bundle, which includes the updated CodeQL CLI.
  • Check out your codebase at the Git reference you want to analyze.
  • Create CodeQL databases for the supported languages in your codebase using codeql database create. You need to specify a parent directory for the databases using the --db-cluster option, and the -l option for each language you want to create a database for.

After creating the databases, you must run codeql database analyze separately for each language. Use the --sarif-category option, setting different values for each language. Specifying this option lets code scanning know that each SARIF file it receives from these analyses should be retained. Similarly, you must also run codeql github upload-results separately for the SARIF file generated by each analysis.

For more information about setting up the CodeQL CLI with your CI system, see "Running CodeQL CLI in your CI system."

The new codeql database create option for creating databases for multiple languages in a single command is available in CodeQL 2.5.6 and later. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

See more

GitHub Advanced Security customers can now specify custom patterns for use in private repo secret scanning. When a new pattern is specified, secret scanning searches a repository's entire git history for it, as well as any new commits.

User defined patterns are in beta on cloud and will be available on GHES next quarter. They can be defined at the repository and organization level.

Learn more about custom patterns
Learn more about secret scanning

See more

You can now configure which code scanning alert severity levels cause a pull request check to fail. This lets you prevent pull requests that generate alerts with chosen severity levels from being merged into your codebase.

This is set at repository level, and lets you define whether alerts with severity error, warning, or note will cause a pull request check to fail.

By default, code scanning alerts with severity error will cause a pull request check failure.

Screenshot 2021-06-02 at 10 24 02

For more information see "Defining which alert severity levels cause pull request check failure."

See more

Free text search is now available for code scanning alerts. You can search code scanning results to quickly find specific alerts without having to know exact search terms. The search is applied across the alerts name, description, and help text.

The syntax is:

  • a single word returns all matches
  • multiple search words returns matches to either word
  • words in double quotes returns exact matches
  • the keyword 'AND' returns matches to multiple words

Free text search on code scanning alerts

For more information, see "Searching code scanning alerts."

See more

The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta for all GitHub Advanced Security customers on GitHub Enterprise Cloud.

Security overview

With the new security overview GitHub Advanced Security customers now have a single place to see the application security risks detected by code scanning, Dependabot, and secret scanning. The security overview shows both these known security risks as well as where you have unknown risks because security features haven’t been configured.

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Dependency review, in beta, helps you review dependency changes in your pull requests. But how do you find your package manifests amongst all the other files? Now you can filter the files in pull requests to see just the package manifests:

Screenshot of pull request manifest filter

What if you don’t have a pull request at all? Now you can review dependency changes between any two commits, such as:

  • During the creation of a pull request,
  • When comparing two branches, tags, or specific commits, and
  • When viewing the history of a package manifest.

GIF of dependency review on commit diff

Learn more about reviewing dependency changes in pull requests.

See more