The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
Last week, we launched code scanning for all open source and enterprise developers, and we promised we’d share more on our extensibility capabilities and the GitHub security ecosystem. Today, we’re happy to introduce 10 new third-party tools available with GitHub code scanning. These open source projects and static application security testing (SAST) solutions bring a wide array of additional security tools directly into the developer workflow, ensuring that vulnerabilities can be identified and fixed before they are committed to the code base. You can enable these additional capabilities on your public repository today!
Code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Code scanning is powered by GitHub’s CodeQL static scanning engine and is extensible to include third-party security tools. Extensibility provides a lot of flexibility and customizability for teams while maintaining the same user experience for developers.
This capability is especially helpful if you:
- Work at a large organization that’s grown through acquisitions and has teams running different code scanning tools;
- Need additional coverage for specific areas such as mobile, Salesforce development, or mainframe development;
- Need customized reporting or dashboarding services;
- Or simply want to use your preferred tools while benefiting from a single-user experience and single API.
What makes this possible is GitHub code scanning’s API endpoint that can ingest scan results from third-party tools using the open standard Static Analysis Results Interchange Format (SARIF).
Third-party code scanning tools are initiated with a GitHub Action or a GitHub App based on an event in GitHub, like a pull request. The results are formatted as SARIF and uploaded to the GitHub Security Alerts tab. Alerts are then aggregated per tool and GitHub is able to track and suppress duplicate alerts. This allows developers to use their tool of choice for any of their projects on GitHub, all within the native GitHub experience.
To get started, check out the GitHub Actions and Apps available on the GitHub Marketplace or navigate to the Security tab in your repository and configure a workflow – you’ll find all these available directly in the GitHub code scanning UI with a pre-configured workflow available!
Check out some of the featured providers and their code scanning capabilities:
Checkmarx is the global leader in software security solutions for enterprise software development, providing Static and Interactive Application Security Testing, Software Composition Analysis, and Developer AppSec Awareness Training to remediate risk and vulnerabilities. Checkmarx is trusted by more than 40 of the Fortune 100 companies and half of the Fortune 50, including leading organizations like SAP, Samsung, and Salesforce.
Using the GitHub Action, Checkmarx scan results are integrated directly into GitHub Issues, GitHub Merge Requests Overviews, and/or the GitHub Security Alerts through CodeQL, to enhance CI/CD workflows and provide actionable security insights. Combined with just-in-time AppSec awareness training via Checkmarx Codebashing, vulnerability remediation is streamlined, and developers are empowered to code more securely, efficiently, and confidently.
Codacy is an automated code analysis/quality tool that helps developers ship better software, faster. With Codacy, you get static analysis, cyclomatic complexity, duplication and code unit test coverage changes in every commit and pull request.
You can use Codacy to enforce your code quality standard, save time in code reviews, enforce security best practices and onboard developers faster. Integrate with your GitHub repositories to get quality analysis of every pull request inside GitHub.
CodeScan is the leading end-to-end static code analysis solution. Built exclusively to maintain quality and security for the Salesforce platform. It has proven to reduce technical debt, empower developers to write higher quality code and integrate easily into the DevOps pipeline. With a constantly expanding set of over 350 rules, CodeScan has scanned over 21B lines of code and served the top 10% of Salesforce enterprise customers since 2014.
DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline.
With ThunderScan® SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10, HIPPA, HITRUST or NIST.
ThunderScan® SAST easy to use and very powerful REST API allows you to customize source code scanning and scale across a large number of scanning agents.
Fortify lets you build secure software fast with an application security platform that automates testing throughout the CI/CD pipeline to enable developers to quickly resolve issues. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premises or as a service, offering organizations the flexibility needed to build an end-to-end software security assurance program.
Muse makes it easy for development teams to find their most elusive bugs, by fully integrating into their workflow, so they can fix bugs when easiest for them to do so…during code review. Muse is a Continuous Assurance platform that uses a broad range of static analysis tools to automatically analyze code at each pull request. Built for developers, Muse seamlessly integrates into the code review process, adding comments that help developers find and fix errors in their pull requests. Using a broad suite of analyzers, Muse covers a range of bug categories including performance, reliability, security, and style/standards and is especially good at finding deep inter-procedural bugs. Muse is free forever on public repositories and supports both small teams and large enterprises.
Secure Code Warrior empowers Devs to write secure code from the very beginning – achieving rapid improvements in security compliance and consistency, as well as a better quality and speed of code writing. The more the platform is used, the better you’ll become at secure coding and the less time and money will be spent finding and fixing bugs.
ShiftLeft is a leading application security software provider for developers. Through industry-leading speed and accuracy, ShiftLeft maximizes developer productivity and efficiency by providing near-instantaneous security feedback on software code during every pull request. ShiftLeft products are purpose-built to insert security directly into the modern software development lifecycle; as a result, developers receive the right vulnerability information at the right time.
ShiftLeft open source tools are now available through the GitHub Marketplace, enabling developers to secure custom code and open source libraries, detect hard-coded secrets, and enable automated security workflows.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. As a recognized leader in application security, Synopsys is the only provider with the industry-leading set of integrated tools, services, and expertise to help organizations maximize security and quality in DevSecOps and throughout the software development life cycle.
The Intelligent Security Scan GitHub Action enables teams using GitHub to trigger a Synopsys optimized SAST and/or SCA security scan of a project via the GitHub Action API. Leveraging orchestration capabilities of the Polaris DevSecOps platform, it ensures that the right security tests are run at the right time – automating test execution and delivering filtered and prioritized results directly within the GitHub code scanning user interface.
Veracode is the leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. Veracode Static Analysis provides fast, automated security feedback to developers in the IDE and the pipeline, and conducts a full policy scan before deployment to ensure compliance with industry standards and regulations. It gives clear guidance on what issues to focus on and how to fix them faster. Results have high accuracy without manual tuning based on 14 trillion lines of code scanned through our SaaS-based engines.
Xanitizer is the innovative static application security testing (SAST) tool developed by RIGS IT. To increase the accuracy of the analysis results and reduce the number of false alarms it performs a data flow analysis and simulates the behavior of common web application frameworks.