The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
Last week we launched code scanning out of beta and have since announced integrations with static analysis and developer security training solutions. By expanding our GitHub security ecosystem, developers can use their tools of choice for any of their projects on GitHub, all within the native GitHub experience they love. Our integrations tightly couple the developer workflow with a security review through GitHub Actions and Apps.
But, security doesn’t stop at static analysis. That’s why we’ve enabled other security tools that support the Static Analysis Results Interchange Format (SARIF). Today, we’re happy to introduce additional support for container scanning as well as standards and configuration scanning for infrastructure as code.
Code scanning’s extensibility enables teams to orchestrate security reviews throughout the software development lifecycle – using static analysis tools while coding, managing software supply chain security using Dependabot, scanning build artifacts with container scanning, and scanning configuration before deployment to a cloud service provider.
These integrations unlock key objectives identified by the DevSecOps and “shifting left” movements and help make security an integral part of the development life cycle. Stay tuned as we continue to advance toward these objectives through additional native capabilities and integrations with third-party tools.
Check out the integrations available on the GitHub Marketplace or navigate to the Advanced Security tab and configure a workflow for a third-party solution – you’ll find all these integrations available directly in the GitHub code scanning UI with a pre-configured workflow or GitHub App available!
The REST API Static Security Testing Action lets you add an automatic static application security testing (SAST) task to your CI/CD workflows and PR checks. The action checks your OpenAPI files for their quality and security from a simple Git push to your project repository when the CI/CD workflow runs.
The action is powered by 42Crunch API Contract Security Audit. Security Audit performs a static analysis of the API definition that includes more than 200 checks on best practices and potential vulnerabilities on how the API defines authentication, authorization, transport, and data coming in and going out.
Accurics envisions a world where organizations can innovate with confidence. Its mission is to enable cyber resilience through self-healing security as organizations embrace cloud native infrastructure. The Accurics platform programmatically detects and resolves risks across Infrastructure as Code to reduce the attack surface before infrastructure is provisioned. It maintains the secure posture in runtime by mitigating risks from changes to the infrastructure. Accurics provides free and commercial tools so that all organizations can achieve cyber resilience.
Bridgecrew is the developer-first platform streamlining cloud security from commit to cloud. Powered by automation, Bridgecrew enables teams big and small to find, fix, and prevent cloud misconfigurations. The Bridgecrew platform addresses errors both in run-time, with support for AWS, Kubernetes, Azure, and Google Cloud, and in build-time, with support for Terraform, CloudFormation, Serverless Framework, and more. With its’ native version control systems and CI/CD integrations, Bridgecrew embeds cloud security earlier in the development lifecycle and makes it accessible, efficient, and fast.
Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk’s comprehensive security platform, including open source, container and infrastructure as code security, is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk’s solution is built on a comprehensive, proprietary vulnerability database, maintained by an expert security research team. With tight integration into existing developer workflows, source control systems and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua’s open source projects include the widely adopted Trivy container image scanner, Kube-Bench for the CIS Kubernetes Benchmark, and Kube-Hunter for pen-testing Kubernetes clusters. Aqua serves more than 400 of the Global 2000 companies in banking, retail, manufacturing, technology, media, healthcare and travel sectors.
Anchore Enterprise is a complete container security workflow solution for professional teams. Integrating seamlessly with a wide variety of development tools and platforms, it allows teams to adhere to defined industry security standards without compromising velocity. The Anchore Enterprise user interface provides visibility to security teams, allowing them to audit and verify compliance throughout the organization. It can be deployed in air-gapped and public cloud environments and is built for large scale. Anchore Enterprise is based on Anchore Engine, an open-source tool for deep image inspection and vulnerability scanning.
Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk’s comprehensive security platform, including open source, container and infrastructure as code security, is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk’s solution is built on a comprehensive, proprietary vulnerability database, maintained by an expert security research team. With tight integration into existing developer workflows, source control and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix.