Code scanning detects more security issues, supports new language versions

GitHub code scanning helps open source maintainers and organizations find potential vulnerabilities in their code, before these can make their way into deployments. CodeQL, our very own analysis engine, powers the majority of those checks. Over the past few months, we have been working hard to improve the depth and breadth of our analysis to cover more CWEs, add support for a host of new language versions, and improve our platform compatibility.

Before we dive into the details: If you haven’t tried GitHub code scanning with CodeQL yet, you can enable it now on your repositories by following this guide! It’s free for open-source projects and available as part of GitHub Advanced Security for our enterprise customers.

All improvements below are available to users of GitHub code scanning on GitHub.com today, and will be part of the next GitHub Enterprise Server release (GHES version 3.5). Users of other GHES versions can also update their CodeQL version to benefit from these analysis improvements straight away.

Language Support

Today, CodeQL already supports JavaScript/TypeScript, Python, Ruby, Java, C#, Go, and C/C++. These languages are themselves under constant development, and we now support the following language versions:

  • C# 10 / .NET 6,
  • Python 3.10,
  • Java 17, and
  • TypeScript 4.5

The standard language features in those language releases are now fully supported by CodeQL.

Performance and Compatibility

For our Linux users, we have fixed an issue that caused the CodeQL CLI to be incompatible with systems running glibc version 2.34 and older.

For users of the CodeQL Apple Silicon support (beta), we are now bundling a native Java runtime for improved performance. Rosetta 2 and macOS Developer Tools are still required for other CodeQL components.

Security Coverage

The Common Weakness Enumeration (CWE) system is an industry-standard way of cataloging insecure software development patterns. CodeQL runs hundreds of queries out of the box that are able to detect an even greater number of CWEs. We went back through our existing queries, and aligned dozens of them with updated CWE IDs to give users better insight into the potential impact of a security issue when an alert is flagged up by code scanning.

We’ve added and improved detection for a large number of CWEs. These are the most significant changes:

  • CWE-190 – Integer Overflow: The cpp/uncontrolled-arithmetic query for C/C++ detects potential user-controlled inputs to calculations that could produce an overflow condition
  • CWE-319 – Cleartext Transmission of Sensitive Data: The cpp/cleartext-transmission query for C/C++ detects network transmissions of sensitive data without encryption
  • CWE-120 – Buffer Overflow: The cpp/very-likely-overrunning-write query for C/C++ now detects cases of out-of-bounds writes based on advanced range analysis
  • CWE-732 – Incorrect Permission Assignment for Critical Resource: The cpp/open-call-with-mode-argument (and optional cpp/world-writable-file-creation) query for C/C++ detect issues that could lead to stack memory disclosure or attacker-writable files
  • CWE-295 – Improper Certificate Validation: The java/insecure-trustmanager query for Java now detects missing or lax certificate handling that could lead to man-in-the-middle attacks
  • CWE-829 – Inclusion of Functionality from Untrusted Control Sphere: The js/insecure-dependency query for JavaScript/TypeScript detects dependency downloads over unencrypted communication channels
  • CWE-347 – Improper Verification of Cryptographic Signature: The js/jwt-missing-verification query for JavaScript/TypeScript detects scenarios in which a JWT payload is not verified with a cryptographic secret or public key
  • CWE-918 – Server-Side Request Forgery: SSRF detection queries for Python have been improved, and now differentiate between partially and fully (py/full-ssrf) user-controlled URLs

Behind the scenes, we’re also working on support for mobile application security, with additional support for Kotlin and Swift on our roadmap. In the meantime, we’ve also added more coverage for mobile security issues for our existing Java support:

Today, we’re announcing that the ability to prebuild codespaces is entering public beta. Prebuilding a codespace enables fast environment creation times, regardless of the size or complexity of your repositories. A prebuilt codespace will serve as a ‘ready-to-go’ template where your source code, editor extensions, project dependencies, commands, and configurations have already been downloaded, installed, and applied so that you don’t have to wait for these tasks to finish each time you create a new codespace.

As a part of this release we’ve made improvements to the set-up process for prebuilds, as well as added support for GitHub-managed Actions workflows that will automatically prebuild a codespace for any configured repository’s branch and region(s). Additionally, since prebuild configurations are built on GitHub Actions virtual machines, repository admins will have access to a rich set of logs to help with efficient debugging in case failures occur.

Prebuilt codespaces are available in beta for all GitHub Enterprise Cloud and Team organizations. Repository admins can head over to their repository’s settings page and create prebuild configurations under the Codespaces tab. Once set up, you can take advantage of fast codespace creation by selecting machine types with the ‘prebuild ready’ tag.

Check out the prebuilds documentation to help you get started!

See more

Today, we are sharing new updates to our projects (Beta) experience, including some highly requested filtering additions and more on our continued investments into project insights.

👉 New filter syntax

With more filter flexibility, you'll have several new ways to work with filters in your projects, including:

  • Assignee:@me – use our new @me filter alongside the assignee field to show items assigned to you.
  • Iterations @next and @previous – easily filter to the next or previous iteration as enhancements to the existing iterations filter @current.
  • Number and date type fields now support all existing GitHub search syntax – including >, >=, <, <=, n..*, *..n and n..n.

Filtering

🏝 Iteration breaks

In our last update we made iterations more flexible with adjustable dates and lengths. We've built on that by adding in breaks making it easy to communicate when you and your team are taking time out from their iterations.
adding an iteration break

📈 Persistent charts

The insights alpha continues to improve based on your feedback. Previously we introduced chart filters, helping you get to the insights you care about. With the addition of persistent charts, you can now save and name these filtered charts to share with your team – just like you can with views.

insights-filters

Join the discussion to share your feedback and experience with the insights alpha.

✨ Bug fixes & improvements

Other changes include:

  • When editing a project description or README, the cursor will default to the end of the text rather than the start.
  • Bug fix where adding a second filter after a comma would replace the original filter.
  • An or filter can now be created when using the iterations @current option. For example: Iteration:@current,iteration-10 will correctly return all items in either the current iteration or in iteration-10.
  • Bug fix where focus is lost after adding an item from the suggestion menu.

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more