
GitHub Codescanning - jedisct1
https://github.com/features/security/advanced-security/signup
======
daeken
Nice, it seems they finally integrated Semmle, which they acquired last year!
[https://github.blog/2019-09-18-github-welcomes-
semmle/](https://github.blog/2019-09-18-github-welcomes-semmle/)

This is the only static analysis tool I've really been interested in over the
past few years; it's crazy effective from everything I've seen, and the
queries are easy to write. Can't wait to play around with this beta on my own
code.

------
micael_dias
The link is behind a login, I'm on my phone logged out but I believe it refers
to this[1]?

[1]
[https://github.com/features/security](https://github.com/features/security)

~~~
Someone1234
Thanks. I'm surprised a mod hasn't changed it by now, but I guess we're the
only two people not logged into Github.

~~~
zzo38computer
Me too, because I don't have a GitHub account (I use Fossil).

------
Signez
It seems that it will be free for open-source, public repositories, and quite
pricy for private repositories.

"A member of our sales team will reach out to discuss details" is a great
euphemism for "be ready to pay quite a few thousand bucks per year for this
feature".

~~~
lonelappde
That means the price is negotiable. Rich users pay more, poor users pay less,
both users get value, producer makes a profit; everyone wins.

~~~
adtac
What's the best way to put this politely from the seller's perspective lol. Do
sales teams do background homework on clients' revenue and then come up with
different numbers for the exact same offering?

~~~
lonelappde
Sure, why not? Or they impute value from usage.

~~~
adtac
Cost based on usage seems very fair to me, but GP said "rich users pay more,
poor users pay less," which seems to suggest that if Microsoft emailed me
asking about a SaaS subscription for 1M req/day, I should quote them orders of
magnitude more than a small startup asking for the same 1M req/day.

------
the_duke
One thing that really annoys me about Github/Gitlab et al is that they don't
provide a nice UI to show CI results in a structured way.

There are semi-standard XML formats that can be used to provide file position,
severity and message, which could easily be produced from CI actions and would
give devs and reviewers a great view of failing tests, compiler and linter
warnings, ... With links to the files etc.

Instead we are still stuck with scanning text logs to figure out what failed.

I always assumed this is not implemented to eventually upsell something
automated.

This is still a great feature though, which will probably prevent a large
amount of bugs/vulnerabilities, assuming they can minimize false positives.

To give credit where it is due, I'd also note that most of Githubs new
features since the acquisition were already present in Gitlab [1]. Github will
be able to commit way more resources to make it polished, though.

[1] [https://about.gitlab.com/stages-devops-
lifecycle/secure/](https://about.gitlab.com/stages-devops-lifecycle/secure/)

Edit: apparently both Gitlab and Github have at least a limited version of
this now, although Gitlabs implementation seems much nicer. See below.

~~~
kuschku
Of course gitlab supports this:
[https://git.kuschku.de/justJanne/QuasselDroid-
ng/pipelines/5...](https://git.kuschku.de/justJanne/QuasselDroid-
ng/pipelines/563/test_report)

It can automatically parse most XML formats, JUnit for example.

~~~
sytse
Thanks! Docs for the GitLab feature to show CI results in a structured way are
on
[https://docs.gitlab.com/ee/ci/junit_test_reports.html](https://docs.gitlab.com/ee/ci/junit_test_reports.html)

GitHub Codescanning functionality is best compared to what GitLab has in
GitLab SAST
[https://docs.gitlab.com/ee/user/application_security/sast/](https://docs.gitlab.com/ee/user/application_security/sast/)
and Secret Detection
[https://docs.gitlab.com/ee/user/application_security/sast/#s...](https://docs.gitlab.com/ee/user/application_security/sast/#secret-
detection)

------
frizkie
I wonder how much the difficulty of writing queries varies between languages.
I was disappointed to not see Ruby on the beta sign-up list, and GitHub being
a pretty heavy user, I'm sure they have their reasons for excluding it.

~~~
daeken
This is based on Semmle, which they acquired last year. According to their
docs ([https://help.semmle.com/lgtm-enterprise/admin/help/sys-
requi...](https://help.semmle.com/lgtm-enterprise/admin/help/sys-
requirements/language-support.html)) it supports C, C++, C#, Go, Java, JS,
TypeScript, and Python; no Ruby. (Edit to add: Woops, missed that this list is
also literally on the page. I had even looked first.)

It's really hard to do any kind of static analysis on something like Ruby or
Perl where 1) you need a ton of context just to parse it properly, and 2)
tracing calls is a nightmare. Given that, I'm completely unsurprised they
haven't supported it yet.

~~~
user5994461
How hard can ruby be compared to python?

Python is very dynamic. I've used and worked on linting tools for python,
tried commercial static analyzers, and they do a pretty good job in my opinion
in spite of the language being dynamic. Not perfect but miles above anything I
would have expected.

~~~
sophiebits
In Ruby, monkeypatching is idiomatic and you can’t even tell what package any
given global came from.

------
marceloabsousa
It will be interesting to see the false positive rate...

~~~
greysteil
At GitHub we're pretty proud of the scan results from CodeQL. Currently, 70%
of alerts flagged in PRs are fixed (rather than marked as a false positive or
won't fix). We think we can get that number up to 85%+ as we gather more data
and iterative the queries (which are all open source).

~~~
marceloabsousa
Hmm, can you please share more details about this data: what kind of
vulnerabilities you're finding, what does fix mean, what is the sensitivity of
the analyser (flow, procedure), what are the underlying abstractions regarding
memory, concurrency, etc? From the demos so far it's hard to see past a
standard taint analyser. 70% precision on a static analyser is very high for a
general purpose analyser unless you have _a lot_ of missing vulnerabilities.
The static analysis/formal verification community would be definitely
interested in getting more details about your experiments.

------
pipework
I had just stumbled on [https://gitpod.io/](https://gitpod.io/) which comes
with an extension to add a button next to the clone/download button-down
(portmanteau of button and dropdown).

I also use codeanywhere for my personal use and whenever applicable I like to
use codesandbox.io when it's JS-ish.

------
pabs3
I wonder if this uses the Static Analysis Results Interchange Format (SARIF)
standard internally.

[https://docs.oasis-
open.org/sarif/sarif/v2.0/csprd01/sarif-v...](https://docs.oasis-
open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html)

~~~
greysteil
PM for GitHub Advanced Security here.

We use SARIF as the input format so third party code analysis engines can
easily integrate with code scanning. Their results can then be shown in the
same way that scans using our own CodeQL analysis engine are displayed.

Docs on how we translate each SARIF property into the code scanning display
are below:

[https://help.github.com/en/github/finding-security-
vulnerabi...](https://help.github.com/en/github/finding-security-
vulnerabilities-and-errors-in-your-code/about-sarif-support-for-code-scanning)

(The beta notice on that page is very relevant here - we wanted to build
extensibility options into code scanning from its inception, but whilst it is
in beta the API won't be 100% stable. We'll do our best to avoid any
unnecessary churn.)

------
0x49d1
Seems like a competitor to [https://snyk.io/](https://snyk.io/) . Let's see
when it comes out.

~~~
Hawxy
Snyk is focused on dependency scanning and license management. This is static
code analysis, more akin to sonarsource.

------
pabs3
Anyone know if there are any open source projects for doing secret scanning?
Or if this uses any open source code scanning projects?

------
glram
This is really nice. Even with code review secrets still slip through the
cracks. I imagine this will be quite pricey tho.

------
p0rkbelly
Hopefully this helps with people committing up their AWS access keys...

~~~
greysteil
PM for GitHub Advanced Security here.

We handle that with secret scanning - code scanning focusses on static
analysis of your code to find vulnerabilities in your code, rather than
committed secrets.

We have a partnership with AWS (and many other token issuers) that handles
this really nicely. If anything that looks like an AWS credential is committed
to a public repo we send it over to AWS - if it's a real token they notify the
token's owner (and in some cases automatically revoke the key).

There's full details at [https://help.github.com/en/github/administering-a-
repository...](https://help.github.com/en/github/administering-a-
repository/about-secret-scanning).

~~~
lonelappde
Please clarify who "we" is in your comments.

~~~
greysteil
Done - thanks!

------
978e4721a
Another electron app, nothing to look at here.

