We’ve been blogging a lot lately about different things that you can do to help improve security for your projects. You might have seen recent blogs, like this one on end-to-end supply chain security from my colleague @steiza, or this one from @15mariams about how to prevent secret leaks with GitHub Advanced Security. With today’s evolving threat landscape, it can be tough to stay on top of all the different things you need to do to keep ahead of the ever-changing threat landscape.
Staying on top of dependency security
The sheer number of dependencies that most projects are using means that if you’re not leveraging automation to stay on top of the security risks from your dependency tree, then chances are you’re already vulnerable. While most security vulnerabilities are not malicious, they’re from accidental coding mistakes, they can still open the door for malicious actors to go after your users or their data.
Understand your dependencies
GitHub provides a number of tools, which are built-in and designed to help you manage your dependency tree, including the dependency graph and dependency review. For each repository, the dependency graph shows the dependencies, dependents, ecosystems, and packages that each dependency relies on.
Dependency review allows you to quickly understand your dependencies before you introduce them into your project. As part of a pull request, you can see what you’re introducing, changing, or removing, as well as the information about the vulnerabilities, age, license, and usage.
Dependency review gives you:
- The vulnerability information for vulnerabilities in that dependency version, along with the severity and whether a newer, fixed version exists
- The license info for each dependency
Respond to vulnerable dependencies
Having this instant snapshot and review of your dependencies in your project gives you the power to act, which is where Dependabot comes in. With Dependabot, not only can you catch vulnerable dependencies, but you can fix them as well. It automatically checks your dependency files for outdated requirements and opens individual pull requests for any it finds. It then notifies you and suggests fixes—enabling you to always work on the latest, most secure releases.
Dependabot alerts can be enabled on your public and private repositories. You can also customize notifications, so you only receive the alerts you want and nothing more. Additionally, you can see all of the alerts that affect a particular project in your security tab or in your dependency graph.
How do I turn on Dependabot?
- Go to GitHub.com.
- Navigate to the main page of the repository.
- Under your repository name, click Settings.
- On the left sidebar, click Code security and analysis.
- Finally, click the Enable button for Dependency graph, Dependabot alerts, and Dependabot security updates.