In September 2019, GitHub acquired Semmle, a company providing a code analysis platform for securing software. About a year later, they had integrated and improved the code analysis service and published the results of a 5-month beta phase: 12,000 repositories were scanned, and over 20,000 security issues were identified (see http://mng.bz/woA2).
Not all security issues are visible when just looking at the code, especially for websites. As we have discussed previously in this book—for instance, in chapter 3 (cookie attributes) and chapter 9 (HTTP headers)—even the absence of certain security settings can count as a vulnerability. Therefore, testing an actual, running web application is an important approach as well. The “nine out of ten web applications have security vulnerabilities” study result from chapter 1 (here’s the link again: http://mng.bz/qYAJ) was retrieved by doing exactly that: scanning (running) websites for issues.