GitHub launches code analysis tool for JavaScript and TypeScript projects

GitHub has released a new scanner for its platform that allows users to check their repositories for the most common threats targeting the development language chosen for their code base.

Launched Thursday as a free public beta for all users, the feature uses machine learning and deep learning to analyze codebases and identify common security vulnerabilities before a product ships.

The experimental feature is currently available to all platform users, including GitHub Enterprise users as an advanced GitHub security feature, and can be used for projects written in JavaScript or TypeScript.

The tool is designed to find the four most common vulnerabilities affecting projects written in these two languages: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection.

Such attacks can result in attackers executing malicious code on victim machines or taking over entire databases, resulting in the compromise or theft of sensitive data.

“Together, these four types of vulnerabilities explain many of the recent vulnerabilities in the JavaScript/TypeScript ecosystem, and improving the ability of code analysis to detect these vulnerabilities early in the development process is essential to help developers to write more secure code,” said Tiferet Gazit, Senior Machine Learning Engineer, and Alona Hlobina, Product Manager, both at GitHub, in a blog post.

Developers can analyze their code using the platform’s machine learning-based CodeQL engine, querying their code as if it were data.

Open source queries are written by experts in the GitHub community and are designed to recognize as many variants of a type of vulnerability as possible in a single query.

Users can search for the best queries related to the vulnerabilities they are trying to identify and run them against their own code base for effective security analysis.

“With the rapidly evolving open source ecosystem, there is a long and growing long tail of libraries that are less commonly used,” Gazit and Hlobina said. “We use examples highlighted by manually crafted CodeQL queries to train deep learning models to recognize these open-source libraries, as well as closed-source libraries developed in-house.”

Due to the open source nature of the queries, they can be constantly updated with additional enhancements to detect more vulnerability variants with a single query and recognize emerging libraries and frameworks.

Identifying emerging libraries is particularly important, GitHub said, because it helps identify untrusted user data streams, which are often the root of security issues.

GitHub said that with the experimental feature still in beta, users can expect a higher false positive detection rate compared to a standard CodeQL scan, but that will improve over time.

Featured Resources

Oracle Analytics for Dummies

No data overload

Download now

Why smart enterprises view a data factory as an inevitable approach to becoming data-driven

Adopt a data-driven strategy for success

Free download

Putting the insurance industry back in good hands

The role of payments in digital transformation

Free download

The Top 3 Computer Problems of the New Reality and How to Fix Them

Increase resilience with unified operations and service management

Free download

Comments are closed.