GitHub Adds New Code Security Features
Written by Kay Ewbank   
Monday, 01 July 2019

GitHub has introduced new features designed to keep code secure with the addition of WhiteSource data to security vulnerability alerts, and dependency insights. 

The features are designed to minimize the problem caused when developers use open-source code that they don't know contains security vulnerabilities. In the past, the problem has been that there hasn't been a simple way for a developer using a library to report a possible security vulnerability to the owner of the library. This has led to vulnerabilities being left open to exploitation. From the other side, library owners haven't had a general way to report to users when a problem has been identified.


The first improvement from GitHub is the addition of WhiteSource data to security vulnerability alerts. The security vulnerability alert feature launched in beta in 2017, and since then GitHub has sent almost 27 million security alerts for vulnerable dependencies in .NET, Java, JavaScript, Python and Ruby. GitHub has now announced a partnership with WhiteSource data to broaden coverage of potential security vulnerabilities in open source projects and to provide increased detail to assess and remediate vulnerabilities. 

The second improvement announced by GitHub is a feature called dependency insights. This is a tool that can be used to find dependencies when a security vulnerability is released publicly. It builds on GitHub's existing dependency graph to provide organizations with a clearer view of their dependencies, including details on security vulnerabilities and open source licenses.

The final improvement comes from the fact that GitHub has acquired Dependabot and integrated it into GitHub. Dependabot provides automated dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm projects. Using it, GitHub is able to monitor dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version. GitHub says it will be rolling out automated pull requests to all accounts with security alerts enabled over the coming months.



More Information


Related Articles

GitHub Acquires Pull Panda

Counting Vulnerabilities In Open Source Projects and Programming Languages

Don't Neglect Open Source Security

GitHub Sponsors - Money For Open Source

GitHub Bug Bounty Program Expanded In Scope and Reward 

Microsoft GitHub - What's Different

GitHub Launches Draft Pull Requests

GitHub Launches Actions

GitHub For Unity Now Available

GitHub Security Alerts For Python

Microsoft Buys GitHub - Get Ready For a Bigger Devil

GitHub Marketplace Now Accepts Free Apps and Offers Free Trials

GitHub Octoverse Reveals The State Of Open Source


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


SourceBuddy Brings Eval To Java

SourceBuddy is a Java library that compiles and loads dynamically generated Java source code. This has the advantage of providing Java with an eval facility such as those found in interpreted lan [ ... ]

Spin Brings WebAssembly To The Cloud

Spin is a new open source framework for building and running cloud microservices with WebAssembly which run on the Fermyon Cloud. Fermyon has also released an SDK for .NET.

More News





or email your comment to:

Last Updated ( Monday, 01 July 2019 )