GitHub has made a number of improvements to its code-hosting platform this week aimed at identifying security issues in the early stages of a project.
The Microsoft-owned company announced on Wednesday that it will be adding new functionality to Dependabot, its tool for automatically detecting security vulnerabilities in project dependencies.
Dependabot currently alerts users when security vulnerabilities are found in existing project dependencies. The platform’s new dependency review action allows users to proactively stop vulnerable dependencies from being added to projects when the pull request is first made.
“When you add the dependency review action to your repository, it will scan your pull requests for dependency changes,” said Github, in a blog post.
“Then, it will check the GitHub Advisory Database to see if any of the new dependencies have existing vulnerabilities. If they do, the action will raise an error so that you can see which dependency has a vulnerability and implement the fix with the contextual intelligence provided.”
The action is now available in beta from the GitHub Marketplace and is supported by a new API endpoint that compares the dependencies between any two revisions.
Earlier this week, GitHub also announced an upgrade to its secret-scanning functionality that checks private projects for secrets that may be leaked or exposed to bad actors.
GitHub views ‘secrets’ as things that service providers can issue that determine user privileges, like tokens and private keys. If someone with read access to a project can view these, they could access an external service using any given user’s privileges.
GitHub Advanced Security users will now be able to prevent leaks of secrets from happening at the point of making the project public. GitHub will now scan for secrets before a git push command can be executed.
RELATED RESOURCE
How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speed
“To date, GitHub has detected more than 200,000 secrets across thousands of private repositories using secret scanning for GitHub Advanced Security; GitHub also scans for our partner patterns across all public repositories for free,” said GitHub in a separate blog post.
“By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether.”
To avoid adversely affecting developer workflows, the new push protection capability will check only for high-confidence secrets, launching with 69 patterns in total, each having a trustworthy ratio of signal-to-noise that aims to minimise the false flags the feature generates.
Enabling the secret scanning feature can be done with one click in the project's UI, or via the API.
The latest features implemented by GitHub come amid a consistent innovation drive at the company to improve the developer experience, particularly when it comes to security.
Over the past few months, GitHub has introduced a number of security improvements that aim to stamp out security vulnerabilities in open source code.
In February this year, GitHub launched a code-scanning tool specifically for JavaScript and TypeScript projects, allowing developers to scan for the most common threats affecting products written in the popular languages as early as possible.
The company also opened up its security Advisory Database, on which the new Dependabot feature relies, for submissions from independent security researchers, academics, and enthusiasts to bolster the bank of security issues developers can check their projects against.
Vulnerabilities in open source code have been a particularly prominent topic in cyber security over the past year, with recent stories around Log4Shell and Spring4Shell dominating the headlines in recent weeks.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Turns out AI isn't that popular at work – just 4% of workers use the technology in the majority of daily tasks, but developers are among the top early adoptersNews Research from Anthropic shows that while AI adoption is sluggish in most professions, software developers and writers are very keen.
-
GitHub's new 'Agent Mode' feature lets AI take the reins for developersNews GitHub has unveiled the launch of 'Agent Mode' - a new agentic AI feature aimed at automating developer activities.
-
GitHub just launched a new free tier for its Copilot coding assistant – but only for a select group of developersNews Limited access to GitHub Copilot in VS Code is now available free of charge
-
Are ‘ghost engineers’ stunting productivity in software development? Researchers claim nearly 10% of engineers do "virtually nothing" and are a drain on enterprisesNews The study used an algorithm to assess the amount of work being done by software engineers at hundreds of firms
-
GitHub says Copilot improves code quality – but are AI coding tools actually producing results for developers?News Questions over the true impact AI coding tools continue to linger
-
Python just brushed past JavaScript to become the most popular programming language on GitHub – and a key factor is that AI developers love itNews The meteoric rise of Python shows no sign of stopping
-
“There is no one model to rule every scenario”: GitHub will now let developers use AI models from Anthropic, Google, and OpenAI
News Devs will be given access to a broader array of AI models on GitHub – but there's more in store for users
-
Not all software developers are sold on AI coding tools – while productivity gains are welcomed, over a third are concerned about AI-generated code qualityNews Many software developers have concerns over the quality and security of AI-generated code despite marked productivity boosts
