GitHub, one of the leading source code hosting services, announces the launch of a static code analysis add-on. Will this become the “silver bullet” for creating vulnerability-free software? Let’s take a look.

About a year ago, GitHub acquired Semmle, whose CodeQL allowed it to treat source code similarly to a database and perform queries within repositories. GitHub leveraged this technology to create a built-in vulnerability scanner.  It was beta-tested by a few focus groups, and now it is becoming publicly available.

The maintainers of public repositories can enjoy its basic functionality for free. It includes security advisories, dependency management and alerts, secrets scanning, security policies enforcement, and authentication practices tests. It also adds security-related checks into the code review flow.

Some of the interesting facts claimed by GitHub about the new functionality are:

  • Twelve thousand repositories were scanned, and more than 20 thousand security issues were found to date
  • Discovered vulnerabilities included Remote Code Execution (RCE), SQL Injection (SQLi), and Cross-Site Scripting (XSS)
  • 72% of those were fixed within 30 days after being found

So, as you can see – the statistics focus on how many vulnerabilities were found and fixed. However, there is no mention of how many suggested vulnerabilities were not (false-positives) and how many of the present vulnerabilities were missed (false-negatives). Both are inevitable companions of static code analysis, which allows examining particular parts of code, but cannot interpret the overall application data flow, business logic, threat vectors, and architecture design weaknesses.

One could compare the source code analysis to examining the bricks for solidity, hoping for the building made out of those bricks to be durable. However, testing each brick is not sufficient for that purpose. Researchers comparing static code analysis results to combined application security reviews conclude that its efficiency (taking into account both false-positives and false-negatives) is between 30% and 60% depending on the programming language and software complexity.

So, while we at Berezha Security encourage everyone to use the new GitHub source code analyzer, we would like to highlight that automated code scanning cannot ensure 100% secure software. It is a good hygienic practice that elevates the security baseline; however, it must be combined with other application security practices, training, penetration tests, and advanced manual security review of highly critical code for the best results.

Stay safe and take care.