Cloud Native / Development / Security

GitHub Focuses on Security, Cloud, DevEx at Universe Event

27 Oct 2021 10:38am, by

It’s time for the annual GitHub Universe conference where developers using the popular git repository hosting service get to see all of the new features and improvements the company has added to make their work lives easier.

Since last year’s event, GitHub has shipped more than 20,000 improvements to its platform for the more than 73 million developers that use it, said Thomas Dohmke, chief product officer at GitHub. This year’s focus is on improving the developer experience, coding in the cloud and ensuring secure development, among other issues.

Security is top of mind for GitHub, Dohmke said, noting that the company has been at work to improve the security of code generated by the revolutionary GitHub Copilot AI-powered auto-completion tool that GitHub refers to as an “AI pair programmer.”

Amid reports that Copilot could generate code that could introduce vulnerabilities, Dohmke told The New Stack GitHub has been taking a two-pronged approach to resolving the issue.

“We have technology within GitHub called CodeQL that allows us to scan code and, and filter out security issues, or actually flag those security issues, back to the open source projects that were used to synthesize the code,” he said. “So we are leveraging the data to provide more and more secure code.”

Moreover, over time, GitHub Copilot will eventually be writing more secure code than the average programmer, Dohmke said.

“If you think about it, what many programmers do is that they go into the internet and search for solutions, and then copy and paste code and, and that copy and paste the code — similar to the Copilot code — may or may not be fully secure,” he said. “And as the name Copilot implies, it’s the Copilot, not the pilot. The developer is still in charge, to understand the intent of the search. So we’re taking basically a two-pronged approach. We’re making Copilot better on the one side, and we’re obviously offering security solutions in GitHub, that when you submit a pull request with insecure code, and whether it’s your [GitHub] Actions workflow or your advanced security workflow it will flag issues to the developer before merging the code into the main branch.”

Specific security improvements for Universe 2021 include expanding code scanning to support Ruby programming and improving enterprise cloud access controls. GitHub has added Ruby support to the CodeQL engine that powers GitHub code scanning. Ruby joins C/C++, C#, Java, JavaScript/TypeScript, Python and Go on the list of supported CodeQL languages.

Meanwhile, also in beta, GitHub Enterprise Cloud customers can now create custom repository access roles to provide teams with the permissions they need, Dohmke said. This means GitHub administrators can now create custom permission levels for teams, organization members, and outside collaborators. In addition, the new Enterprise Managed Users feature offers a new option to manage enterprise identities where enterprise administrators can own and manage a lifecycle of identities, while improving provisioning and deprovisioning capabilities, he said in a blog post.

Riding with the Copilot

GitHub continues to ride the popularity of Copilot, announcing in technical preview expanded IDE support for the JetBrains IntelliJ platform of editors, including the latest versions of IntelliJ IDEA and PyCharm, to help support developers wherever they work. The company also is adding support for multiline completions in Java, with support for more languages over the coming months.

“OK I forgot I installed GitHub Copilot and went to write a function and … folks, we are in trouble. It’s not just that this is some sort of generic checkForUpdates function that it found on GitHub. This is written specifically in Gluegun-style. This is incredible,” said Jason Holmgren, CTO of Infinite Red, in a tweet.

In a separate tweet, another Copilot tire kicker noted, “Holy shit GitHub Copilot is a lot of fun! It really speeds up the easy boilerplate kind of stuff. I am working on a little game in JavaScript and the core functionality took me maybe 30 min with Copilot, where it would have taken a couple hours without. I was just mashing tab!”

Dohmke said GitHub has seen significant improvements since the Copilot technical preview was released over the summer. For some languages, particularly Python, the company has seen that about 30% of newly written code is being suggested by Copilot and that number could get past 50% in the next couple of years, he noted.

Moreover, “You can now use GitHub Copilot with Neovim and the latest versions of JetBrains IntelliJ IDEA and PyCharm,” Dohmke said. GitHub Copilot was initially available as a Visual Studio Code extension or in the cloud on GitHub Codespaces.

Enhancements to Codespaces

Speaking of Codespaces — GitHub’s platform for spinning up development environments directly from the browser or through Visual Studio Code — the company has delivered several enhancements on that front, including easier dev environment creation, CLI support, REST API support in beta, access control for forward ports, and access to GitHub Container Registry.

“We’ve added Codespaces support into the GitHub CLI to help developers who prefer the command line and direct SSH access to their development environments,” Dohmke said.

Codespaces is an instant-on customizable container-based development environment in the cloud. And the true power of Codespaces is that you can go from zero to being productive and writing code within seconds, he said.

GitHub migrated all of its engineering teams to Codespaces earlier this year and scaled-down the ramp-up time for onboarding new projects from 45 minutes to 10 seconds, Dohmke said. “We now have over 600 of our own internal developers using Codespaces to build up in the cloud,” he said.

Public Beta of GitHub Issues

In addition, GitHub has released its GitHub Issues project planning platform as a public beta.

GitHub Issues reinvents how developers do planning and tracking, Dohmke said. It is based on the simple idea of lists. “We are offering a spreadsheet-like user interface where developers and project managers and product managers can simply add items to the backlog. It’s really fast, because you can complete it with cursor keys,” he said.

Overall, the new GitHub Issues workflow experience includes features like project boards and dynamic tables, which give developers the ability to filter, sort, and group issues and pull requests. Additional key features include iteration support, new reporting and data visualization, and public projects.