Automated security updates, now generally available

Automated security updates (formerly Dependabot and automated security fixes) are now generally available in all public repositories on GitHub. After a popular debut at Satellite 2019, more than 3.5 million active repositories have the feature enabled and receive automated pull requests that update them to the nearest non-vulnerable dependency versions. Thanks to all of our beta testers and Dependabot users for your feedback and support.

Learn more about automated security updates

GitHub Security Lab, launched at GitHub Universe 2019, is a new GitHub initiative whose mission is to inspire and enable the community to secure the open source software we all depend on. We hunt for vulnerabilities in open source projects and build tools to make it easier for others to find those vulnerabilities in their own codebases. In addition, we’re building an open coalition with security teams and researchers across the world that will focus on making security accessible to every researcher and every developer.

GitHub’s first contribution to the Security Lab effort is the free release of CodeQL for Research. CodeQL is an industry-leading semantic code analysis engine that enables you to discover vulnerabilities across your codebase. You can query code as though it were data to find a vulnerability pattern and all of its variants.

Learn more on the GitHub Security Lab website

See more

GitHub Advisory Database

The GitHub Advisory Database is a new experience that allows you to browse or search for the vulnerabilities that GitHub knows about. The database contains all curated CVEs and security advisories which have been mapped to a package tracked by the GitHub dependency graph. CVE numbers will also automatically be linked from within issues and pull requests back to the Advisory Database (e.g. typing CVE-2019-13611 will automatically link to this entry in the database).

Linking to a CVE within a GitHub comment

Did you know? This data can also be accessed programmatically using the SecurityAdvisory API. Try the following query in our GraphQL Explorer:

query {
  securityAdvisories(orderBy: {field: PUBLISHED_AT, direction: DESC}, first: 2) {
    nodes {
      description
      ghsaId
      summary
      publishedAt
    }
  }
}

Learn more about the GitHub Advisory Database

 

See more