GitHub adds new tools to support developers in secure code


On Thursday, Microsoft-owned GitHub announced the introduction of several new security tools and features that help developers secure their code.

The code-hosting service launched a new security feature in 2017 to warn developers if their projects contain known vulnerabilities in software libraries. GitHub has continued to improve since security alerts have resulted in significantly fewer vulnerable code libraries on the platform, and it has announced further improvements in partnership with WhiteSource.

The partnership enables GitHub to broaden the coverage of security flaws in open source projects and provide even more details for developers to evaluate and address vulnerabilities.

Another new tool is Dependency Insights, which helps companies to become fully aware of their dependencies— including vulnerabilities and licenses — and understand how they are exposed to them.

GitHub also announced the general availability of its token scanner, which does not accidentally scan public repositories in search of toks. This service detects exposed Alibaba Cloud, AWS, Azure, GitHub, Google Cloud, Slack, Mailgun, Twilio and Stripe credentials.

The company also informed users that Dependabot, a management tool which helps GitHub users keep their dependencies up to date, has been acquired. Through integration with Dependabot, first announced earlier this year, vulnerabilities are monitored in project dependencies and patch-containing pull requests are automatically opened.

Additional improvements made by GitHub focus on the lack of a dedicated security team in most open source project to address vulnerability reports. That is why the company introduced the beta version of maintainer Security Advisories, which provides a private place for project maintainers to discuss and patch vulnerabilities and publish user security advisories.

In addition, maintainers can now develop a security policy for persons wishing to report defects in their code. Organizations can create a security policy which is applicable to all their repositories.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.