GitHub to Warn Users of Vulnerabilities in Their Projects | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

GitHub to Warn Users of Vulnerabilities in Their Projects

GitHub said Thursday it can now help developers find and fix vulnerabilities in their dependencies.

GitHub, the popular development platform/respository hosting service, announced this week that it can now help developers find and fix vulnerabilities in their dependencies.

In programming,  dependencies are basically bits of code in software that depend on another one.

The platform, one of world’s the largest code hosting services, said Thursday it will begin tracking public vulnerabilities and notify users if any of their projects’ dependencies are affected. GitHub will track vulnerabilities in Ruby gems and NPM (JavaScipt) packages on MITRE's Common Vulnerabilities and Exposures (CVE) list to start but the company plans to bring support to Python in 2018, according to the company’s Director of Product Miju Han.

The company will offer project managers help through a feature it already offers called a dependency graph. If a user has theirs enabled - something done by default for public repositories - they'll receive alerts for potential vulnerabilities. GitHub says it plans to call out any dependencies it considers vulnerable and whether or not it recommends updating. If there's a safer version of a dependency the company says it will use a combination of machine learning and publicly available data to select one. Users with private repositories meanwhile will have to opt in to receive security alerts.

A .gif the company posted, below, demonstrates the feature in action shows an alert for a known vulnerability in a user's Rails dependency and a suggested fix.

The company admits identifying vulnerabilities can be a difficult, sometimes nebulous thing to do. Some vulnerabilities, even major ones, don't receive CVE IDs from the National Vulnerability Database. With that in mind Han says GitHub will do its best to ferret out vulnerabilities without CVEs and notify coders.

"We'll continue to get better at identifying vulnerabilities as our security data grows..." Han wrote Thursday, "This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work." 

Chris Brook


The Definitive Guide to Data Classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.