GitHub Code Scanning Reviews

Primarily, I am using GitHub itself. I use So mostly when we write the code itself, with unit tests that we write. In order to check the total code coverage, we use Sonar. That is one of the functionalities.

Other similar products I have not actually used. CodeQL is the only feature that I have used.

Within one day, I did everything. I created the repository, GitHub Code Scanning itself, and the AI agents for creating the dashboards and also creating multiple kinds of dashboards that I have used.

I have been using Git for approximately 13-14 years. I have used GitHub Code Scanning for about three to four years.

The primary purpose is to identify any vulnerability in the code itself.

The system logs vulnerabilities that we can immediately examine to see all the error-prone areas. The AI functionalities include predefined agents that scan through and immediately provide responses regarding the best nomenclature or code coverage percentage.

It's actually a one-time setup, and the team benefits as long as they push code and changes in the repository itself. Every time we push something, we immediately check the total deviation, whether our code coverage has improved, or if any vulnerability has been identified. There is always a metrics dashboard that we can see and identify.

Primarily, GitHub is used for doing the versioning itself in the repository. With vulnerability functionality being provided and AI agents available, it makes a complete package.

As soon as we publish our code, we immediately get to know the test code coverage. This immediately informs us about all the vulnerable areas which are not being fully tested. If we address those areas, most vulnerabilities are resolved. Even after tests are added, if by any chance the test is not treated cleanly or corner cases are missed, GitHub Code Scanning immediately flags those corners.

It's always beneficial to have because it's not humanly possible to check all corner case scenarios, but as a system where they diagnose each line item, that's very helpful.

One area for improvement would be helping developers with basic documentation. AI could be used to assist developers in this area. Currently, there is minimal information provided, but more functionality could be added along these lines.

For the given functionality it was built for, it performs excellently. For developer experience, I would rate it seven or eight out of ten. The reason being that at times it becomes very annoying as it highlights certain things which are intuitive. They require code coverage for those aspects as an extra overhead.

I have been using Git for approximately 13-14 years. I have used GitHub Code Scanning for about three to four years.

It's very scalable, very easy to handle, and very intuitive. It's very convenient to handle, and hardly any maintenance is required.

Initially, we used their support, but after that, they provided clearly defined SOPs with very comprehensive documentation. This solves most issues. If not, their support really helps us. Though we have limited interaction with them, whatever interaction we had was very helpful.

Positive

This is really a straightforward setup.

Approximately 35-40 developers do the coding and their code goes into GitHub itself. Everyone is really getting benefited.

For the given functionality it was built for, it performs 10 out of 10. For developer experience, it rates seven or eight out of 10.

We are using GitHub Code Scanning predominantly for static code analysis to identify vulnerabilities, such as OWASP vulnerabilities. Before the code goes into production, as soon as the developer checks in, our static code analysis runs to validate the code. We have compliance metrics to ensure no vulnerabilities or code leaks occur.

GitHub Actions provides extensive options to manage code repositories well. We use it extensively for code reviews, Git branching, and internal code repository integrations. The static code analysis capability in GitHub Code Scanning is a very powerful feature, providing the ability to identify vulnerabilities and ensure code quality.

When running code scans, GitHub Code Scanning provides recommendations for probable fixes. However, integrating a feature where developers receive real-time highlights of vulnerabilities when checking in or merging a PR would be beneficial. This would allow developers to address issues before the code gets merged. Adding this capability could ensure developers are alerted to potential vulnerabilities upfront.

I have been working with GitHub Code Scanning for many years, around ten to fifteen years.

I would rate the stability of GitHub Code Scanning as nine out of ten.

Since GitHub Code Scanning is a cloud-based platform, scalability is handled automatically without noticeable issues.

I have not heavily relied on GitHub support because most issues can be resolved with available open forums. However, the support is perceived to be pretty good.

Neutral

The initial setup of GitHub Code Scanning is very simple and not complex.

The organization pays for the license of GitHub Code Scanning, but specific price details are unknown.

SonarQube is an advanced product that can be compared to GitHub Code Scanning.

I would rate GitHub Code Scanning as seven out of ten. It would be a powerful feature if GitHub Code Scanning allowed for highlighting vulnerabilities at a class or file level as soon as the developer checks in, rather than waiting for the entire repository scan to complete.

Public Cloud

Other

We were using GitHub Code Scanning for code coverage and to look for obvious logical errors in the code instead of just syntax errors. It was part of a complex pipeline for overseeing code quality efforts, utilizing tools such as Spectral for scanning code repositories. We were not specifically scanning for viruses. The code scanning was employed in various stages for development and production coding efforts.

GitHub Code Spaces brings significant value with its simplicity and ease of use. It eliminates a lot of manual work that typically accompanies custom solutions, making management and maintenance more straightforward. This is crucial, as maintaining custom environments is usually more challenging. Using GitHub Code Spaces offers advantages in setting up the development environment due to its integrated features. The code review automation feature has accelerated our processes around code quality. It helps developers write better code faster and allows for quicker transitions between development stages. All actions, such as scanning, linting, and moving code between stages, have become more agile and efficient.

One area for improvement could be the ability to have an AI system digest the reports generated from code scanning and provide a summary. Currently, the reports can be extensive, and users may overlook details, such as outdated libraries, which could be highlighted for attention.

The GitHub Code Pipeline is fairly new to me as we ended up using an architecture that involves GitHub Actions leading into our own CICD pipeline.

There weren't any major deployment issues. The setup and installation process is marked by readability in the manuals, making it straightforward, unlike more complex custom solutions like Jenkins.

GitHub Code Scanning is stable. I have never encountered any stability issues.

GitHub scales very well. It is used extensively by various corporations without any scalability issues.

I have not dealt with GitHub's customer service directly. Technical issues typically go through the DevOps teams, the main users of the platform.

Positive

We transitioned from Bitbucket to GitHub. GitLab was tried briefly but GitHub met our requirements better.

The initial setup is straightforward, thanks to detailed manuals. It is easier than building a custom pipeline with tools like Jenkins.

With GitHub Code Scanning, there has been noticeable acceleration in the code development and approval process. Code scanning and linting occur more promptly than before, facilitating quicker transitions between development stages.

We evaluated GitLab as an alternative solution, but it did not meet our requirements like GitHub does.

The support from community forums is excellent, featuring detailed, professional queries and responses. Experts, including those from the vendor side, contribute valuable insights. Overall, I rate GitHub Code Scanning as a nine. We are just customers of GitHub, not partners or resellers.

Hybrid Cloud

Other

My usual use cases of GitHub Code Scanning involve scanning the codes and telling me the difference in the lines. It highlights the lines where changes are supposed to happen, and if any additional lines are added or deleted, it would highlight and tell me. It is basically a comparison between the existing code and the new one and highlights those differences, and then it would commit the changes. Once we click commit, the new code gets reflected, and the timeline of that is maintained. The time when new code changes are being reflected can be viewed by everyone in the organization who has access.

The features of GitHub Code Scanning that I have found most valuable are merging the code, as merging of the code is beneficial. Also, showing the differences is advantageous, and maintaining the timeline are all good aspects of this. Whatever changes are made, it reflects them. That is the main purpose of GitHub, but apart from that, it maintains the timeline, shows the differences, and blends in easily with the new code. If there are any issues, it shows what issues are present.

GitHub Code Scanning has positively impacted my organization as it helps us recognize errors and avoid many later issues which may arise. Even though we work and test, validate, sometimes there might be some errors or typing mistakes in the code. This code scanning and highlighting all those differences helps us proactively recognize and avoid potential errors or issues.

In my opinion, areas of GitHub Code Scanning that could be improved include that a few things are not visible to us, such as where it stores data and which path. There is a separate team for that who handles all the locations, which isn't very transparent. If it gets placed in the wrong place, we would never know. So, more transparency is expected; that is the only small thing I can think of. Additionally, the feature to validate whether the script is valid or not can also be enhanced.

Areas of GitHub Code Scanning that could be improved include that everywhere where code deployment is required, we need GitHub.

I have been working with GitHub Code Scanning for around six months.

Before using GitHub Code Scanning, I did not come across any different solution for these use cases. I did not get an opportunity, as everywhere I worked, GitHub was used.

I am an end user only here with GitHub Code Scanning.

I currently might be using the latest version of GitHub Code Scanning, but I don't remember the specific version.

I have not utilized the real-time feedback feature in GitHub Code Scanning.

I assess the integration capability of GitHub Code Scanning with my existing tools and workflows as well integrated, and it gets easily customized to other tools. Whether your code is in Snowflake, or it's a UNIX script, or SQL script, it would easily get adjusted. Even for .NET scripts, we are using GitHub. With multiple languages, it is easily able to get integrated, and the code also gets integrated with the scripts on the server.

An example of how this integration has helped my team collaborate on fixing detected vulnerabilities is that currently, we are working on a healthcare project wherein we create campaigns. If any additional email IDs come, or a practitioner is added, or details about where they're working, all those details come. We create new task flows, and we have a source query wherein the table or data is loaded into staging and then to Salesforce. In Salesforce, there are multiple mini-projects. This gets integrated very well at the place where we need to store it, in a branch, holding things as a branch in a proper structure.

Regarding customizing queries in GitHub Code Scanning, we do it earlier only. We customize queries and check if they're running well, then only we do the final work. We don't customize queries in GitHub at the last minute because we are not sure when it is tested if it will work well or not.

The automation capability of GitHub Code Scanning has impacted my team's productivity because everybody is able to utilize this facility of proactively recognizing errors. Additionally, anybody randomly making changes may affect the rest of the team. Since it is storing along with the timeline of who has made changes and at what time, the team can take steps accordingly based on that. If there is something not working fine, they can figure out what could have caused the error.

I am not aware of the pricing of GitHub Code Scanning because my organization takes care of that; only very high-level management people are aware of that.

This solution is deployed in my organization on the cloud. In my earlier organization, it was on-premises, but now they are doing it only in the cloud. This project is also cloud-based.

I find GitHub Code Scanning quite stable.

On a scale of 1-10, I rate GitHub Code Scanning an 8.

Public Cloud

Amazon Web Services (AWS)

We use GitHub Code Scanning mostly for source code management.

GitHub Code Scanning should add more templates.

I have been using GitHub Code Scanning for six to seven months.

I rate GitHub Code Scanning ten out of ten for stability.

GitHub Code Scanning is a scalable solution. Around 2,000 to 3,000 users use the solution in our organization.

We previously used Bitbucket. We switched to GitHub Code Scanning because it had better capabilities.

Developers and senior developers are involved in the solution's deployment.

We have seen a return on investment with GitHub Code Scanning. GitHub Code Scanning has provided us with value in terms of code management and version management.

GitHub Code Scanning is a moderately priced solution. On a scale from one to ten, where one is cheap, and ten is expensive, I rate the solution's pricing a five out of ten.

The solution's license is based on the number of users, and it's mentioned on the GitHub website. For 10,000 to 20,000 users, they have one cap. There are multiple bands that you can opt for.

I would recommend GitHub Code Scanning to other users. I encourage users to use the community version first rather than jumping into the enterprise version. They should start using different capabilities of GitHub Code Scanning, and then if they feel that this is the right solution for their company, they can use the enterprise version.

Overall, I rate GitHub Code Scanning ten out of ten.

Hybrid Cloud

The tool helps to know which ports are allowed and which are not. It traverses the entire network, scanning every system to determine which ports are open. As per compliance policy, specific ports prone to attack should not be open.

The solution helps identify vulnerabilities by understanding how ports communicate with applications running on a system. Ports are like house numbers; to visit someone's house, you must know their number. Similarly, ports are used to communicate with applications. For example, if you want to use an HTTP web server, you must use port 80. It is the port on which the web application or your server listens for incoming requests.

The scalability depends on the size of the network it protects. There are no limitations in terms of scalability. If the software were allowed to scan all the computers on the planet, it would take 10-15 years to complete.

The tool's setup is straightforward. Ports are already defined within the operating system, but you can change them manually if needed.

The minimum pricing for the tool is five dollars a month. 

You can use the tool locally on your system or in the cloud. I rate it a nine out of ten. It's a very good tool for people who want to start using GitHubCode Scanning, especially for software development or team collaboration. GitHubCode Scanning allows teams to collaborate by uploading files to repositories.

For example, if someone is developing an application, they can host the code on GitHub Code Scanning. Other developers can then download the code for testing purposes. If bugs are found, fixes can be applied using the GitHub Code Scanningrepository, and everyone on the team can see the changes. Software developers often use GitHub Code Scanning for version control, and it's essential for CI/CD pipelines to work.