When it comes to hosting the world’s largest software repository, GitHub knows any way it can help make software more secure is amplified massively worldwide.
“We’re excited about how these new AI advancements will meet developers where they are, and make their code more secure,” said GitHub senior director of product management Justin Hutchings.
GitHub has already released significant application security features over the year. One of them is DependaBot – a free tool that automatically scans GitHub repositories for security issues within their dependencies and which can also automatically create pull requests for you, to upgrade your dependencies to patched versions. Other application security features include Code Scanning and Secret Scanning, both of which are free for open-source repositories and available as add-ons for private repositories.
Additionally, GitHub has invested in generative AI as seen through its CoPilot tool which has already proven to deliver great productivity and satisfaction results among developers.
Today’s announcements from GitHub fuse both its security and generative AI work to deliver even more powerful security features, powered by artificial intelligence.
The first of these is Code Scanning autofix, which meets developers right at the time of a pull request and quickly advises if your new code introduces a vulnerability such as a SQL injection flaw. The new capability will inform you right at the time of the pull request, and provide solutions then and there. The developer can choose to fix the problem with the offered solution or continue to edit and validate on their own. Either way, this new capability will dramatically improve the time to remediation for security flaws by identifying them right at the time the code is checked in. Right now, autofix supports CodeQL, JavaScript, and TypeScript.
The next is a significant enhancement to Secret Scanning. Previously, Secret Scanning would help developers know if they had accidentally published things like public cloud credentials, or GitHub security tokens, or other well-known, well-defined kinds of secrets. Secret Scanning is a huge feature on its own; many a developer has sadly discovered their AWS bill has skyrocketed by committing their AWS keys into a public repo – well, until GitHub’s Secret Scanning caught it for them.
Yet, what if your secret is not so well-defined? Let’s say you publish a password like “FootballFan99!” – it’s not something a regular expression or pattern-searching tool will identify as a secret that shouldn’t be disclosed to the world. It turns out generative AI is incredibly good at identifying these, however, because it understands the context and semantics that the text appears in. And so, Secret Scanning now takes its protection up a level, protecting you and your code from disclosing all kinds of inadvertent items.
Additionally, GitHub has announced a regular expression generator for custom patterns. For something with ‘regular’ in its name, I don’t know many developers who can expertly craft a complex RegEx without looking up reference material and GitHub has made it easier with the new generator. Simply answer some form-based questions and the generative AI behind the scenes will construct the RegEx for you.
Bringing everything together too, is new GitHub security overview dashboard. This allows not only developers, but security managers and administrators also to understand the company’s holistic security posture through the lens of risk, remediation, and prevention.
GitHub will launch these features in differing previews, with sign-ups available right now to advanced security customers.
With these new application security features, GitHub continues its sobre mission of being the largest custodian of software on the planet. Any change GitHub makes, no matter how small or incremental, that improves software quality, security, or development time, is magnified over and over across millions upon millions of developers, repositories, and trillions of lines of code.
“It’s why all of us at GitHub get up to work every day,” Hutchings said, “we impact every piece of software on the planet, and it’s exciting knowing you can make those improvements day to day.”
