GitHub Rolls Out Security Alerts for Developers

GitHub Rolls Out Security Alerts for Developers

Popular software development platform GitHub made it easier last week for users to spot security issues with their code, by including a new vulnerability alerts feature.

The launch comes after an update last month which allows developers to track projects their code depends on via a “dependency graph”, currently supported for Javascript and Ruby.

“Today, for the over 75% of GitHub projects that have dependencies, we’re helping you do more than see those important projects,” announced GitHub director of product, Miju Han, in a blog post. “With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.”

The alerts will work whether the project is public or private, although for the latter, users will need to opt-in via repository settings or by allowing access in the dependency graph section of their repository’s Insights tab.

Following that, administrators will receive the security alerts by default, and can add other members of the team if desired.

Vulnerabilities that have been assigned a CVE number will be included, although Han pointed out that not all bugs do — even publicly disclosed ones.

“When we notify you about a potential vulnerability, we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion”, she explained.

Security alerts currently work for Ruby and Javascript projects, with Python support coming next year.

Back in September, malware was found in PyPI — the official repository for the popular programming language — and subsequently made its way into multiple software packages. This kind of supply chain attack is becoming increasingly popular and takes advantage of the fact that many developers fail to include security early on enough in the application life-cycle.

Source: Information Security Magazine