Introducing new ways to keep your code secure
It’s more important than ever that every developer becomes a security developer—that they responsibly disclose vulnerabilities and patch vulnerable code quickly. Today, we’re excited to announce several new security features designed to make it easier for developers to secure their code.
![null](https://github.blog/wp-content/uploads/2019/05/security-post.png?resize=1600%2C850)
We’re all part of a deeply interconnected community, where the software we write builds on the work of others. Ninety-nine percent of new software projects depend on open source code. This extensive code reuse helps everyone build better software faster than ever before, but it also puts us all at risk of distributing security vulnerabilities from our dependencies. It’s more important than ever that every developer becomes a security developer—that they responsibly disclose vulnerabilities and patch vulnerable code quickly.
Today, we’re excited to announce several new security features designed to make it easier for developers to secure their code.
- Security vulnerability alerts now with WhiteSource data: Since launching as beta in 2017, GitHub sent almost 27 million security alerts for vulnerable dependencies in .NET, Java, JavaScript, Python and Ruby. Our new partnership with WhiteSource data broadens our coverage of potential security vulnerabilities in open source projects and provides increased detail to assess and remediate vulnerabilities.
- Dependency insights: When a security vulnerability is released publicly, enterprises need tools to quickly audit dependencies and better understand their exposure. Dependency insights builds on the power of the dependency graph, so enterprises get full visibility into their dependencies, including details on security vulnerabilities and open source licenses.
- Token scanning: Previously announced as beta, token scanning is now generally available and supports more token formats including those from Alibaba Cloud, Mailgun, and Twilio to make sure accidental check-ins don’t turn into data breaches.
Automated security fixes with Dependabot
While security vulnerability alerts provide users with the information to secure their projects, industry data shows that more than 70 percent of vulnerabilities remain unpatched after 30 days, and many can take as much as a year to patch! At GitHub, we want to give you the tools to make dependency upgrades easy, so we’re excited to announce that we’ve acquired and integrated Dependabot into GitHub. With the help of Dependabot, GitHub will monitor your dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version. We’ll be rolling out automated pull requests to all accounts with security alerts enabled over the coming months.
Open source security
Nearly every software project will have a security bug at some point in its lifetime, but vulnerabilities in open source software can have a significant impact when thousands of projects depend on it. While major vendors may have a dedicated security team that knows how to work through security issues when they happen, most open source projects don’t. We’re excited to announce these new features to help maintainers privately address and responsibly disclose security issues.
- Maintainer security advisories (beta): When open source maintainers do run into a security vulnerability, they need a place where they can address and disclose the issue so users are protected. Now maintainers have a private workspace to discuss, fix, and publish security advisories to people who rely on their projects right within GitHub—without tipping off would-be hackers.
- Security policy: Security is everyone’s job, and well-meaning users often create public issues to let maintainers know about a suspected security bug. Now with support for a security policy, maintainers can reach users as they create new issues to let them know there’s a security policy they should follow. Organizations can also create one security policy for their entire organization that automatically applies to every repository within the organization.
The security challenges facing today’s software are community problems. With the breadth of data and connections GitHub maintains as the leading software development platform, we have a responsibility to protect the community from threats and enhance security for everyone. We’re continuing to invest in new capabilities and work with partners to bring industry best practices into GitHub.
Tags:
Written by
Related posts
![](https://github.blog/wp-content/uploads/2024/04/Enterprise-DarkMode-2-3.png?resize=400%2C212)
GitHub Actions, Arm64, and the future of automotive software development
Learn how GitHub’s Enterprise Cloud, GitHub Actions, and Arm’s latest Automotive Enhanced processors, work together to usher in a new era of efficient, scalable, and flexible automotive software creation.
![A schematic diagram depicting the steps an SAST tool takes to scan the source code of an SQL application under an SQL injection attack. The first step is tokenizing the source code, the second is abstracting the source code, the third conducting semantic analysis, the fourth conducting taint analysis, and the last generating a security alert about the SQL injection vulnerability.](https://github.blog/wp-content/uploads/2024/02/sast-tool-diagram.png?resize=400%2C212)
The architecture of SAST tools: An explainer for developers
More developers will have to fix security issues in the age of shifting left. Here, we break down how SAST tools can help them find and address vulnerabilities.
![](https://github.blog/wp-content/uploads/2023/11/Security-LightMode-4.png?resize=400%2C212)
Frenemies to friends: Developers and security tools
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table. Let’s explore some effective strategies witnessed by the GitHub technical sales team to make this shift successful.