Hello Everyone! Today I will sharing my thoughts and steps to follow in order to use GitHub’s new feature – Code Scanning. This feature was announced last year for beta testing and now it is generally available. This can be added easily to any of your public repository integrated as a CI/CD pipeline.
So what is Code Scanning?
GitHub’s code scanning is company’s native approach towards finding security vulnerabilities in your code much before it is pushed to production. How this works is that when set up as a GitHub workflow, the scanning is triggered whenever there is a pull request or a commit to the main branch of the repository. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert.
Steps to get your repository with GitHub code scanning:
- Head over to the security tab in the repository you want to be scanned
2. Click on the “Set up code scanning” button
3. We will be using CodeQL analysis which is maintained by GitHub, hence we will select “Set up this workflow”
4. Now we will be committing this auto generated file to the repository
After committing, code scanning GitHub action is auto triggered thus you have successfully set up your first code scanning!
Hope this tutorial has taught you to add code scanning GitHub action and with this I expect that you would create a much safer and more robust apps and websites all with the power of GitHub.
Thanks!
Madhuresh's Tech & Life Journal 
Leave a comment