It's supposed to run actionable security rules by default, which will enable developers to remain focused on their project, without being overwhelmed with bug issues. As the code is created, it is scanned while actionable security reviews are compiled within pull requests, and coupled with other GitHub experiences.
The code scanning technology integrates with the GitHub Actions CI/CD platform or other CI/CD environment, which process is intended to ensure that vulnerabilities never make it into the finished project.
How Developers can leverage GitHub code scanning technology
Developers can use GitHub code scanning technology to write a query that finds all variants of a vulnerability, and share with other developers. And if a developer could create a query with a bug class for cross-site scripting, then it can be used to find any bug class.
The tool leverages the over 2,000 queries created by GitHub community at large, or through custom queries built to address new security concerns. With the GitHub code scanning built on the SARIF standard, developers can also include open source and commercial static app security testing solutions in the same GitHub-native experience, as it is extensible.
While third-party scanning engines can also be integrated to view results from any of the developer’s security tools using a single interface and the results can be exported through a single API.
How to get Started with GitHub code scanning
GitHub code scanning is completely free for public repositories, and available for the fee-based GitHub Enterprise service through GitHub Advanced Security for private repositories.
The first beta of GitHub code scanning has scanned about 12,000 repositories 1.4 million times and discovered more than 20,000 security issues including SQL injection, remote code execution, and cross-site scripting vulnerabilities.