We’re all part of a deeply interconnected community, where the software we write builds on the work of others. Ninety-nine percent of new software projects depend on open source code. This extensive code reuse helps everyone build better software faster than ever before, but it also puts us all at risk of distributing security vulnerabilities from our dependencies. It’s more important than ever that every developer becomes a security developer—that they responsibly disclose vulnerabilities and patch vulnerable code quickly.
Today, we’re excited to announce several new security features designed to make it easier for developers to secure their code.
- Dependency insights: When a security vulnerability is released publicly, enterprises need tools to quickly audit dependencies and better understand their exposure. Dependency insights builds on the power of the dependency graph, so enterprises get full visibility into their dependencies, including details on security vulnerabilities and open source licenses.
- Token scanning: Previously announced as beta, token scanning is now generally available and supports more token formats including those from Alibaba Cloud, Mailgun, and Twilio to make sure accidental check-ins don’t turn into data breaches.
While security vulnerability alerts provide users with the information to secure their projects, industry data shows that more than 70 percent of vulnerabilities remain unpatched after 30 days, and many can take as much as a year to patch! At GitHub, we want to give you the tools to make dependency upgrades easy, so we’re excited to announce that we’ve acquired and integrated Dependabot into GitHub. With the help of Dependabot, GitHub will monitor your dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version. We’ll be rolling out automated pull requests to all accounts with security alerts enabled over the coming months.
Nearly every software project will have a security bug at some point in its lifetime, but vulnerabilities in open source software can have a significant impact when thousands of projects depend on it. While major vendors may have a dedicated security team that knows how to work through security issues when they happen, most open source projects don’t. We’re excited to announce these new features to help maintainers privately address and responsibly disclose security issues.
- Maintainer security advisories (beta): When open source maintainers do run into a security vulnerability, they need a place where they can address and disclose the issue so users are protected. Now maintainers have a private workspace to discuss, fix, and publish security advisories to people who rely on their projects right within GitHub—without tipping off would-be hackers.
- Security policy: Security is everyone’s job, and well-meaning users often create public issues to let maintainers know about a suspected security bug. Now with support for a security policy, maintainers can reach users as they create new issues to let them know there’s a security policy they should follow. Organizations can also create one security policy for their entire organization that automatically applies to every repository within the organization.
The security challenges facing today’s software are community problems. With the breadth of data and connections GitHub maintains as the leading software development platform, we have a responsibility to protect the community from threats and enhance security for everyone. We’re continuing to invest in new capabilities and work with partners to bring industry best practices into GitHub.