Highlights from GitHub’s security roadmap at Universe 2021

During Universe, we received a number of security questions ranging from our strategy to our advisories. Here's what we've got planned!

Author

Berk Veral

November 12, 2021

We recently wrapped up GitHub Universe 2021. During this global event where tens of thousands of developers and decision makers joined live to hear the latest from GitHub, it was no surprise that security was a key topic. During our Universe sessions, we answered many security questions ranging from our strategy to our advisories and wanted to share some of the key topics more broadly for those interested in learning more about GitHub Security.

Let’s start with the questions about security incident reporting, and of course, GitHub Advanced Security (GHAS). GHAS is our security solution for GitHub Enterprise customers that provides capabilities like code scanning, secret scanning, and dependency review on your private repositories.

QUESTION:: With all the security-related features that GitHub has introduced lately, are there plans to add a solution that would allow users to report security issues confidentially?

ANSWER:: We’re always looking to empower our community. We expect to further our work on private vulnerability reporting on GitHub in 2022. Check out Chief Security Officer Mike Hanley’s Universe talk on improving security vulnerability reporting to learn more.

QUESTION:: Are there any discussions about being able to export GHAS data so it can be consumed in another tool (i.e. backlog)?

ANSWER:: Yes. We aim to have APIs and webhook events for all the data displayed in our security products, including code scanning, secret scanning, and Dependabot alerts. You can use these to pull the data in real time, or at specific cadences. If you don’t want to use the API to get your data, we’re planning to introduce export functionality to the org-level security overview in the future.

Dependabot, our solution that automatically monitors and identifies dependencies in your code, was also top-of-mind for many Universe attendees:

QUESTION:: Dependabot checks dependency manifests against the GitHub Advisory Database today. Are there any plans to also analyze actual changes to the dependencies themselves for maliciously added functionality, in order to detect malicious packages when there might not be a CVE or other advisory out yet?

ANSWER:: Yes! The GitHub Security Lab already proactively hunts for vulnerabilities in open source, but we want to do more to make open source safe from malware. We’re building a team to work on this right now (we’re hiring!), and we expect to make contributions at the package manager and registry level, as well as to GitHub itself.

QUESTION:: Any plans for custom extension of Dependabot and/or the dependency graph for other languages?

ANSWER:: Yes, we’re working on an API for the dependency graph that will allow you to submit information into it. The intention is to work with package managers like Gradle to make it easy to export a list of your dependencies and upload them to the dependency graph. We have a similar initiative for Dependabot, where we’re starting to work directly with package managers to make it easy for them to “add themselves” to Dependabot.

QUESTION:: Is there any central dashboard planned for an organization’s Dependabot results, instead of reporting that’s specific to a single repository?

ANSWER:: Our vision for org-wide reporting is the security overview. We already show all an organization’s secret scanning results there, and we’re currently working on adding Dependabot and code scanning alerts.

Another topic Universe attendees asked about was CodeQL. CodeQL is GitHub’s analysis engine used by developers to automate security checks and by security researchers to perform variant analysis.

QUESTION:: Which languages are currently supported by CodeQL and which are planned for the future?

ANSWER:: We announced CodeQL support for Ruby (in beta) at Universe this year, which joins C/C++, C#, Java, Javascript/TypeScript, Python, and Go as our currently supported languages. While in beta, Ruby has a limited queryset (so it scans for a small number of vulnerability categories), but we’re adding more every week. In addition, we’re working on adding support for Kotlin and Swift.

These questions touch on our plans for the rest of 2021 and beyond, and they’re just a sampling of what was asked at Universe—and what we’ve got planned. Security continues to be top-of-mind for developers and enterprise decision makers alike, and GitHub continues to enable our community to develop and collaborate securely. We have a number of security initiatives in flight that we can hardly wait to share with you, so stay tuned and stay safe!

Tags:

Best practices on rolling out code scanning at enterprise scale

Learn best practices on how to roll out centrally managed, developer-centric application security with a third party CI/CD system like Jenkins or ADO.

Kevin Alwell

How the community powers GitHub Advanced Security with CodeQL queries

The GitHub Security Lab’s CodeQL bounty program fuels GitHub Advanced Security with queries written by the open source community.

Xavier René-Corail

GitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositories

GitHub Advanced Security helps you create secure applications with a community-driven, developer-first approach. Today, we are excited to announce two updates: Beta of the new security overview for organizations and…

William Bartholomew