GitHub to scan for more vulnerabilities with machine learning
GitHub is expanding its code scanning tool with machine learning to provide more frequent warnings when it discovers four common types of vulnerabilities. The machine learning tool is now available in public beta.
The new tool uses machine learning and deep learning to scan JavaScript and TypeScript code for vulnerabilities that may be present. The tool can detect vulnerabilities such as cross-site scripting, path injection, NoSQL injection and SQL injection. These four types of vulnerabilities are responsible for many of the recent CVE vulnerabilities in JavaScript and TypeScript, according to GitHub.
The machine learning tool is an extension of the code scanner that GitHub has been offering since September 2020. Created by GitHub security experts and community members, that code scanner can scan code for common vulnerabilities. The code scan tool identifies libraries in code with known vulnerabilities for this.
As the use of open source software has increased, according to GitHub, more libraries have appeared that are less commonly used. Because these are less popular, they are also less likely to be included in the regular scan tool maintained by community members and security experts. That is why GitHub has developed the machine learning tool, which can identify vulnerabilities in other libraries based on examples from the existing tool. GitHub shares a more extensive operation of the tool on a separate page.
Developers who use the security-extended and security-and-quality suites for analysis automatically get the machine learning tool. Users can add these suites to their code scanning configuration file to activate the machine learning. GitHub does warn that due to the experimental beta status of the tool, more false positives may also appear. This should decrease the more the tool is used. The machine learning tool uses different labels for the warnings than the regular code scanner, to indicate that the probability of false positives is higher.