GitHub’s new feature gives developers security alerts for vulnerabilities in software packages which their projects depend on.
GitHub hosts 67 million code repositories and is among the largest collections of open source data.
Forty-five percent of the 100 largest companies in the United States (by revenue) use GitHub Enterprise to build software, according to GitHub statistics.
Over 75 percent of GitHub projects have code dependencies. The security alerts service depends on the Dependency Graph, which is available by default for every public repository and can be set up for private repositories.
“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allowing access in the Dependency Graph section of your repository’s Insights tab,” said Miju Han, GitHub Director of Product, Data in a post.
“GitHub tracks public vulnerabilities in Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) List,” the company said.
“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency,” the company said. “Then, we send security alerts to owners and people with admin access to affected repositories.”
The security alerts include a severity level and a link to the affected file in the project and, when available, a link to the CVE record and a suggested fix.
Other people or teams working in organization-owned repositories can also receive these alerts, if the admin(s) make it possible. Alerts can be received via email, in the user’s web notifications, or in the GitHub user interface.