From finding to fixing: GitHub Advanced Security integrates Endor Labs SCA

It’s no wonder developers are increasingly overwhelmed. The number of new CVEs published each year has increased by nearly 500% in the last decade. And the average project, with just 10 direct dependencies, can have hundreds of indirect dependencies. Put simply, developers are often buried under a mountain of security alerts and unable to prioritize which ones to remediate first.

While high-profile supply chain attacks like last year’s XZ Utils backdoor tend to capture attention, the danger they pose is just a fraction of the overall threat landscape. The bigger risk often comes from unpatched vulnerabilities in lesser-known open source dependencies.

GitHub’s partnership with Endor Labs cuts through the noise to help developers accurately identify, remediate, and fix the most critical vulnerabilities—without ever leaving GitHub.

With Endor Labs software composition analysis (SCA) integrated into GitHub Advanced Security and Dependabot, development teams can dismiss up to 92% of low-risk dependency security alerts to focus instead on the vulnerabilities that matter most.

How it works

Endor Labs SCA brings context into open source vulnerability detection

Endor Labs SCA helps identify and prioritize dependency vulnerabilities by their potential impact, according to factors like reachability, exploitability, and more. For example, Endor Labs checks if the vulnerable function of a given dependency is actually reachable by your application or if it is just sitting on an unused corner of a transitive dependency. Security teams can also configure risk, licensing, and permission profiles to ensure developers are not bothered unless the risk is truly warranted.

Prioritize and fix open source vulnerabilities with GitHub

GitHub Advanced Security integrates crucial security practices directly into the development workflow, offering developers a streamlined way to secure their code. Its features are free for open source maintainers, including dependency review, secret scanning, code scanning, and Copilot Autofix.

Dependabot, available for free to all GitHub users, automates dependency updates, so you can spend more time building. Developers can remediate vulnerabilities by merging Dependabot-authored pull requests with the click of a button or by applying Endor Patches.

Secure your automated workflows

GitHub Actions makes it easy to automate all your software workflows, whether you want to build a container, deploy a web service, or welcome new users to your open source project. These actions are often updated with bug fixes and new features, which can take time to maintain.

Endor Labs automatically discovers in-use actions and their dependencies to ensure they fit your risk, licensing, and permission profiles. Dependabot automatically updates your dependencies, and code scanning helps identify existing workflow configuration vulnerabilities and prevent new ones.

Written by

Mario Rodriguez

@mariorod

Mario Rodriguez leads the GitHub Product team as Chief Product Officer. His core identity is being a learner and his passion is creating developer tools—so much so that he has spent the last 20 years living that mission in leadership roles across Microsoft and GitHub. Mario most recently oversaw GitHub’s AI strategy and the GitHub Copilot product line, launching and growing Copilot across thousands of organizations and millions of users. Mario spends time outside of GitHub with his wife and two daughters. He also co-chairs and founded a charter school in an effort to progress education in rural regions of the United States.

Varun Badhwar

Varun Badhwar currently serves as the Founder & CEO of Endor Labs, a startup focused on software supply chain security. Prior to starting Endor Labs, Varun was the founding GM and SVP of Prisma Cloud at Palo Alto Networks, where he built the cloud-native security business. Varun joined Palo Alto Networks through the acquisition of RedLock, a CSPM startup he founded.