Last year, GitHub acquired semantic code-scanning and security company Semmel. Now, the code-hosting company is integrating the latter’s features to provide in-built code-scanning. The company says that code-scanning is a native experience, and it scans every ‘Git Push’ for potential exploits. It uses CodeQL, a tool to query the codebase for potential bugs, to find vulnerabilities in your project. This feature is free for any open-source project. [Read: GitHub Codespaces lets you code in your browser without any setup] Along with this, GitHub also introduces secrets scanning for private repositories. Notably, this feature was already available for public repositories under the token scanning name since 2018. If you hosting your code on GitHub, but running an instance on any popular cloud service such as AWS, Alibaba Cloud, Google Cloud, or Azure, these services might issue a secret token or a private key. So, if your secret — such as a password or a key– is stored in your publicly readable file, GitHub will notify you and urge you to move it to a secure location. You can check the list of cloud providers this feature supports here. For its enterprise customers, the company also launched private instances, a server instance managed by GitHub, and tuned according to the company’s requirement.
— GitHub (@github) May 6, 2020 Jamie Cool, Vice President of Security at GitHub, told TNW that private instances will have enterprise tuned features such as “enhanced security, compliance, and policy features including bring-your-own-key encryption, backup archiving, and compliance with regional data sovereignty requirements.” He added that with these security features a major theme with these features is not just to make it easier to fix vulnerabilities and alert users, but to prevent them from ever getting introduced. GitHub said private instances are coming soon, and it’ll announce pricing for that later.