GitHub Code Scanning Now Uses Machine Learning
Written by Alex Denham   
Thursday, 24 February 2022

GitHub's code analysis technology based on CodeQL has been revamped and now uses machine learning (ML) to find potential security vulnerabilities in code.

GitHub acquired the technology for CodeQL as part of the acquisition of Semmie. CodeQL is used by security research teams to perform semantic analysis of code, and was made open source by GitHub.

githubdeklogo

CodeQL works by building a database that contains a relational representation of the code, then queries are run on the database to look for particular security problems. The queries are based on the patterns of known security problems, and building the patterns takes time.

codescan

GitHub's Tiferet Gazit said:

"Manual modeling can be time-consuming, and there will always be a long tail of less-common libraries and private code that we won’t be able to model manually. This is where machine learning comes in."

The CodeQL team uses examples that have been recognized using the manual models to train deep learning neural networks that can determine whether a code snippet comprises a potentially risky sink.

This means CodeQL can uncover security vulnerabilities even when they arise from the use of a library the team has never seen before. For example, CodeQL can detect SQL injection vulnerabilities in the context of lesser-known or closed-source database abstraction libraries.

In terms of accuracy, the team says their testing of CodeQL on repositories that were not included in the training set, and comparing the alerts detected by machine learning and a manual query created by a security expert, on average they measured a recall of approximately 80% with a precision of approximately 60%.

The team is currently extending ML-generated alerts to more JavaScript and Typescript security queries, as well as working to improve both their performance and their runtime. Future plans include expansion to more programming languages.

codeqlsq

 

More Information

GitHub code scanning

Related Articles

GitHub Code Scanning Generally Available

GitHub Strengthens Team Working

New From GitHub Universe

GitHub Launches Actions

Microsoft Buys GitHub - Get Ready For a Bigger Devil

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner

Godot 4.1 Improves Performance
17/07/2023

Godot has been updated with improvements including performance and stability. Godot 4.1 builds on the 4.0 release that was described as being more of a great rebuild rather than a regular update.


+ Full Story
Mozilla's AI On MDN Still Experimental
13/07/2023

Mozilla has introduced two new features on MDN that make use of artificial intelligence, to a mixed response. Should we trust AI Help and AI Explain, both of which are powered by GPT-3.5?


+ Full Story
More News

Summer SALE Kindle 9.99 Paperback $10 off!!

esp32book

 

 

Comments




or email your comment to: [email protected]
Last Updated ( Thursday, 24 February 2022 )