GitHub has launched a new security alerts feature which will scan a project's dependencies for known vulnerabilities. Once found, users will be automatically alerted and presented with more information about the vulnerability, including its severity level and resolution steps.
This new feature is built on top of the recently introduced dependency graph functionality, where GitHub automatically scans a project for all of its dependencies and then displays them to the user.
By cross-referencing this dependency data with security vulnerability data, GitHub aims to automate vulnerability identification as much as possible, alerting users as soon as a new one is found. This is achieved through machine learning and publicly available data:
Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don't have them. We'll continue to get better at identifying vulnerabilities as our security data grows.
Once a vulnerability has been identified, a severity level is allocated to it based on its CVE record. It’s then up to the user to apply the appropriate patch and issue a fix:
After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available.
By default, the scan will run on all public repositories, and can optionally be turned on for private repositories. Regardless of the type, the results of the scan will never be publically disclosed.
Currently, only Ruby and Javascript are supported, but GitHub aims to support Python in 2018.
More information is available in the GitHub documentation.