Multi-repository variant analysis: a powerful new way to perform security research across GitHub

GitHub has introduced multi-repository variant analysis (MRVA) to help developers and security researchers identify new types of security vulnerabilities across numerous codebases using CodeQL, its static analysis engine. MRVA enables users to scale variant analysis by running highly customized CodeQL queries across thousands of repositories, thus saving time and facilitating the rapid discovery of vulnerabilities. This approach has already been employed by GitHub's Security Lab to uncover vulnerabilities affecting millions of applications. MRVA is designed to work seamlessly with GitHub's existing infrastructure, utilizing CodeQL databases from public repositories with code scanning enabled, and allowing for the creation of custom lists for targeted analysis. The tool also supports private repositories, provided they have CodeQL code scanning activated, and offers features such as sorting results by repository popularity and generating Markdown reports for sharing findings. This initiative is part of GitHub's broader commitment to enhancing software security without detracting from the developer experience.