GitHub Shifts Left on Security with Its SARIF Compatibility

GitHub and CodeScan Integration Shifts Left on Security with Its SARIF Compatibility

SARIF stands for Static Analysis Results Interchange Format. In 2018, SARIF was announced as an OASIS standard when it comes to detecting software vulnerabilities. Since, governments and large corporations like Microsoft have been on-board with SARIF as an extra measure of visibility for its users leveraging static code analysis.

As the home of open source, and with more than 50 million users, GitHub has taken the initiative to boost its security capabilities with the recent launch of its code scanning feature. Built for open source and enterprise developers, code scanning is based on the code analysis capabilities of CodeQL and is compatible with SARIF, allowing developers to seamlessly scan their work on the GitHub platform.

CodeScan’s New Action

Built on the SARIF standard, GitHub is extensible so users can integrate with third-party solutions, such as CodeScan. For GitHub users also on the Salesforce platform, CodeScan now has a new Action on the GitHub marketplace. Called the CodeScan Scanner, this Action allows developers to get more feedback on their GitHub pull requests. Integrated directly into the GitHub workflow, CodeScan provides results directly on the platform. No new windows, tabs, or logins are necessary.

Productivity, Security, and Quality

What does this SARIF functionality mean in the grand scheme of it all? SARIF opens the door to greater security measures on the GitHub platform. Developers are now empowered with access to their static analysis results earlier, improving their productivity and efficiency.

Instead of wasting time in the QA development loop, whether you’re using CodeScan’s Scanner or GitHub’s CodeQL, development teams can leverage their static analysis results in SARIF format to view their results on the GitHub platform. This visibility in this early stage of coding is aligned with the shift left trend. As companies produce products quicker, teams have been shifting towards agile development methods, looking for ways to optimize productivity and create cleaner products, while reducing bottlenecks in their pipelines. The SARIF compatibility on GitHub will open doors for developers to do so.

SARIF stands for Static Analysis Results Interchange Format. In 2018, SARIF was announced as an OASIS standard when it comes to detecting software vulnerabilities. Since, governments and large corporations like Microsoft have been on-board with SARIF as an extra measure of visibility for its users leveraging static code analysis.

As the home of open source, and with more than 50 million users, GitHub has taken the initiative to boost its security capabilities with the recent launch of its code scanning feature. Built for open source and enterprise developers, code scanning is based on the code analysis capabilities of CodeQL and is compatible with SARIF, allowing developers to seamlessly scan their work on the GitHub platform.

CodeScan’s New Action

Built on the SARIF standard, GitHub is extensible so users can integrate with third-party solutions, such as CodeScan. For GitHub users also on the Salesforce platform, CodeScan now has a new Action on the GitHub marketplace. Called the CodeScan Scanner, this Action allows developers to get more feedback on their GitHub pull requests. Integrated directly into the GitHub workflow, CodeScan provides results directly on the platform. No new windows, tabs, or logins are necessary.

Productivity, Security, and Quality

What does this SARIF functionality mean in the grand scheme of it all? SARIF opens the door to greater security measures on the GitHub platform. Developers are now empowered with access to their static analysis results earlier, improving their productivity and efficiency.

Instead of wasting time in the QA development loop, whether you’re using CodeScan’s Scanner or GitHub’s CodeQL, development teams can leverage their static analysis results in SARIF format to view their results on the GitHub platform. This visibility in this early stage of coding is aligned with the shift left trend. As companies produce products quicker, teams have been shifting towards agile development methods, looking for ways to optimize productivity and create cleaner products, while reducing bottlenecks in their pipelines. The SARIF compatibility on GitHub will open doors for developers to do so.

Develop high quality, secure code!

RELATED BLOG POSTS
Setting Up and Using CodeScan Effectively
Setting up and CodeScan in your salesforce org

Running CodeScan on your Salesforce Org is a great first step towards quality code, but maintaining that quality is a Read more

Estimating ROI with CodeScan
Estimate ROI using static code analysis tool CodeScan

Every Software Development Professional knows the following fact: the later bugs are found, the more expensive they are to fix. Read more

SFDX Tutorial | Setting Up CodeScan
CodeScan with Salesforce DX

Salesforce DX is a new focus on source-driven, collaborative development. The Salesforce CLI (Command Line Interface) easily integrates into your Read more

CodeScan and Visual Studio Team Services
continuous integration visual studio

Visual Studio Continuous IntegrationVisual Studio Team Services (VSTS) is a quick and powerful tool to set up continuous integration and Read more