GitHub Rolls Out Security Alerts for Developers
Popular software development platform GitHub made it easier last week for users to spot security issues with their code, by including a new vulnerability alerts feature.
“Today, for the over 75% of GitHub projects that have dependencies, we’re helping you do more than see those important projects,” announced GitHub director of product, Miju Han, in a blog post. “With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.”
The alerts will work whether the project is public or private, although for the latter, users will need to opt-in via repository settings or by allowing access in the dependency graph section of their repository’s Insights tab.
Following that, administrators will receive the security alerts by default, and can add other members of the team if desired.
Vulnerabilities that have been assigned a CVE number will be included, although Han pointed out that not all bugs do — even publicly disclosed ones.
“When we notify you about a potential vulnerability, we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion”, she explained.
Back in September, malware was found in PyPI — the official repository for the popular programming language — and subsequently made its way into multiple software packages. This kind of supply chain attack is becoming increasingly popular and takes advantage of the fact that many developers fail to include security early on enough in the application life-cycle.
Source: Information Security Magazine