GitHub launches code scanning tool for JavaScript and TypeScript projects

GitHub has released a new scanning tool for its platform that allows users to check their repositories for the most common threats targeting their codebase’s chosen development language.

Launched on Thursday as a free public beta for all users, the feature uses machine learning and deep learning to scan codebases and identify common security vulnerabilities before a product is shipped.

The experimental feature is currently available to all users on the platform, including GitHub Enterprise users as a GitHub Advanced Security feature, and can be used for projects written in JavaScript or TypeScript.

The tool is designed to scan for the four most common vulnerabilities affecting projects written in these two languages: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection.

Such attacks can result in attackers running malicious code on victims’ machines, or taking over entire databases, leading to compromised or stolen sensitive data.

“Together, these four vulnerability types account for many of the recent vulnerabilities in the JavaScript/TypeScript ecosystem, and improving code scanning’s ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code,” said Tiferet Gazit, senior machine learning engineer, and Alona Hlobina, product manager, both at GitHub, in a blog post.

Developers can scan their code using the platform’s machine learning-powered CodeQL engine, querying their code as if it were data.

Open source queries are written by experts in the GitHub community and these are designed to recognise as many variants of a vulnerability type as possible in a single query.

Users can search for the best queries relating to the vulnerabilities they're trying to identify and run them against their own codebase for efficient security analysis.

“With the rapid evolution of the open source ecosystem, there is an ever-growing long tail of libraries that are less commonly used,” said Gazit and Hlobina. "We use examples surfaced by the manually-crafted CodeQL queries to train deep learning models to recognise such open source libraries, as well as in-house developed closed-source libraries.”

Due to the open source nature of the queries, they can be constantly updated with further refinements to catch more vulnerability variants with a single query, and recognise emerging libraries and frameworks.

Identifying emerging libraries is especially important, GitHub said, because it helps identify flows of untrusted user data, which are often the root cause of security issues.

GitHub said as the experimental feature is still in beta, users can expect a higher false-positive rate of detections compared to a standard CodeQL analysis, but this will improve over time.