GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their

Top remote work tools for productivity, via GitHub, GitLab, Facebook

  • With remote work a long-term reality for many companies, tools to help employees work productively from home are critical. 
  • StackShare shared which tools are most popular on its platform, while execs from companies like Facebook, GitHub, Gitlab, and Atlassian also dished on their go-to products. 
  • It’s not just about the specific tools, though, it’s about how they’re used — including to keep company culture alive. 
  • Visit Business Insider’s homepage for more stories.

Because of the pandemic, remote work has become the new normal for many tech companies. 

Firms like Facebook, Twitter, and Atlassian are allowing employees to work remotely permanently, if they wish — a practice already adopted by startups like GitLab — and adapting to new productivity products in the process. It’s not just about the tools a company uses though, but also how they use them. 

StackShare, a website for companies to share what apps they use, has seen more traffic during the pandemic on its pages for remote work tools like Zoom and Google Meet. 

“The most popular tools that we’ve seen on StackShare throughout this whole pandemic have been the ones that help keep culture — help you keep that alive,”  Yonas Beshawred, founder and CEO of StackShare, told Business Insider. 

Execs from GitLab, Facebook, GitHub, and more shared the tools that they’ve been using to help employees make remote work work:

Companies are turning to video conferencing tools like Zoom and even Discord

StackShare users often look up comparisons between Google Meet and Zoom, says Yonas Beshawred, founder and CEO of StackShare.

“Zoom is really popular of course, but people have all sorts of issues with it, whether it’s security or costs,” Beshawred told Business Insider. “The fact that it’s still being compared to alternatives means there’s still demand for better video chats or video

Lightstep Announces New GitHub Action, Bringing Observability Data Directly to GitHub to Avoid Problematic Code Deploys

cdCON — Lightstep, the cutting-edge distributed tracing tool founded by former Google engineers, today announced their new GitHub Action called the Lightstep Pre-Deploy Check. By automatically bringing relevant Observability data directly into the development workflow on GitHub, software developers can ensure the quality and performance of their software, before it’s actually deployed.

“This is a big shift left for how developers think about Observability,” said Daniel Spoonhower, Co-Founder and CTO of Lightstep. “DevOps is about acknowledging that it’s not good enough to ship code without worrying about how it performs in the real world. I very much believe in ‘you build it you own it’ — but I also believe that we need to make this easier by baking solutions into existing development workflows as much as possible, by automating as much as possible.”

According to the State of Software Quality 2020 report produced by OverOps, two out of three developers spend at least a day per week troubleshooting issues in their code, and are frustrated by the unknowns that come with deploying new code into cloud-based, distributed architectures. Despite the 87M+ merged pull requests per GitHub’s annual Octoverse report, to date there has been zero visibility into the health status of a system within a pull request.

“Automatically confirming production systems and services are healthy before deploying code that can impact them is a great step towards ensuring reliability, without compromising developer velocity,” said Chris Patterson, Product Manager for GitHub Actions at GitHub. “By bringing Observability data directly into the pull request process on GitHub, developers can avoid context switching, gain more ownership of how their code performs in production, and better support DevOps within their organization.”

The Lightstep Pre-Deploy Check leverages publicly-available APIs from Lightstep to provide a deployment risk summary ahead of a code