2

Does there exist a scanning tool that can scan a repository for malicious code?

Suppose our company had a disgruntled employee who wanted to introduce a virus/malware/trojan etc. to our code base.

Is there a way to automatically scan for such instances, or must we manually inspect every commit?

Josh Wheelock
  • 369
  • 4
  • 9
  • What about having a simple script check out each commit on a machine with the best antivirus software installed, and then simply wait X minutes to allow the antivirus engine to scan the files in the commit? With a bit more elbow grease your script can ask the antivirus software if it is done. – Thorbjørn Ravn Andersen Jan 06 '15 at 13:31
  • Not unless you can solve the halting problem. – Ajedi32 Jan 06 '15 at 19:30

2 Answers2

0

You mean something like this? GitHub announced it last year.

https://github.blog/2020-09-30-code-scanning-is-now-available/

Top of post:

GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. We’re thrilled to announce the general availability of code scanning. You can enable it on your public repository today!

Bottom of post:

  • Code scanning is free for public repositories. Learn more about how to enable code scanning today.
  • For private repositories, code scanning is available to GitHub Enterprise through Advanced Security. Contact Sales to learn more.

I'm not an expert with these things, but read the page and see if it's anything like what you were looking for.

And see also:

https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository

https://github.com/features/security

TIA
  • 1
-1

Not sure if there's such software. But if it's a virus that can be caught with existing antivirus, you can use gitfs for browsing repository as a directory and scan it with antivirus.

manzur
  • 682
  • 3
  • 7