Last year, Github acquired the code analysis platform Semmle and now we can see this acquisition in practice : a new code scanning security feature have just been rolled out for all users. The new feature is available in public repositories, and in public and private repositories owned by organizations with a license for Advanced Security.
To enable the new feature simply navigate to the Security tab, then to the right of “Code scanning”, click Set up code scanning.
Then under “Get started with code scanning”, click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. You can also customize how code scanning scans your code, by editing the workflow.
Finally after your commit, the workflow file or create a pull request, code scanning will analyze your code according to the frequency you specified in your workflow file. If you created a pull request, code scanning will only analyze the code on the pull request’s topic branch until you merge the pull request into the default branch of the repository.