GitHub has announced a number of new features aimed to help developers secure their code, including the ability to create PRs for any dependencies needing an update to include security fixes, integration with WhiteSource data for better vulnerability assessment, dependency insights, and more.
GitHub security-related features revolve around vulnerability alerts, which were introduced in 2017 to alert developers about any known vulnerability found among their projects' dependencies. According to GitHub's own data, although more than 27 million security alerts were generated since then, patching has been often a slow process:
While security vulnerability alerts provide users with the information to secure their projects, industry data shows that more than 70 percent of vulnerabilities remain unpatched after 30 days, and many can take as much as a year to patch.
GitHub's figures matches well with analysis from other vendors that highlighted a number of action points for the open-source community to improve on their security-related practices.
In an effort to make it easier for project maintainers to patch their code quickly, GitHub integrated with Dependabot, which they have just acquired and made freely available. Dependabot, originally available in the GitHub marketplace as a paid service, is able to scan a project's dependencies for any vulnerabilities and automatically open PRs for each of them. This will allow maintainers to fix security vulnerabilities by simply merging those PRs.
Furthermore, to help enterprise project maintainers to promptly audit their project dependencies and exposure to any new vulnerability, GitHub launched Dependency Insights. Dependency insights leverage GitHub dependency graph to provide developers an overview of their project dependency status, including any open security advisory, the possibility of listing and inspecting a project's dependencies, and so on.
Another new feature in GitHub meant to provide developers with more data about any discovered vulnerabilities, is GitHub security alerts integration with open source security platform WhiteSource. According to GitHub, this will broaden the current coverage of potential vulnerabilities that the platform is able to detect and help developers prioritize, remediate, and report about vulnerabilities.
As a final note, to improve communication among maintainers of a project when they need to exchange information and discuss any found vulnerabilities, GitHub now offers a private workspace, called maintainer security advisories to make that possible without leaking sensitive information to hackers. Additionally, it is now possible to explicitly set up a security policy associated with a project so contributors know what they are supposed to do to responsibly report a vulnerability.