Last year, Github acquired the code analysis platform Semmle and now we can see this acquisition in practice : a new code scanning security feature have just been rolled out for all users. The new feature is available in public repositories, and in public and private repositories owned by organizations with a license for Advanced Security.
To enable the new feature simply navigate to the Security tab, then to the right of “Code scanning”, click Set up code scanning.
Then under “Get started with code scanning”, click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. You can also customize how code scanning scans your code, by editing the workflow.
Finally after your commit, the workflow file or create a pull request, code scanning will analyze your code according to the frequency you specified in your workflow file. If you created a pull request, code scanning will only analyze the code on the pull request’s topic branch until you merge the pull request into the default branch of the repository.
The new CodeQL feature supports only C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers. While PHP is classified as the 5th most active programming language on Github, it’s not supported by the new security code scanning feature. PHP developers have lots of alternatives depending on the framework you are using, or simply using static analysis tools such as Psalm and PHPStan.
