GitHub starts alerting developers of security vulnerabilities in dependencies

Popular Git repository hosting service GitHub has introduced a new feature to help developers keep their projects safer: security alerts for vulnerabilities in software packages which their projects depend on.

GitHub vulnerability security alerts

GitHub hosts some 67 million code repositories, and is among the largest collections of open source data. According to their statistics, 45% of the 100 largest companies in the United States (by revenue) use GitHub Enterprise to build software.

Over 75 percent of GitHub projects have code dependencies.

Security alerts powered by the Dependency Graph

The security alerts service depends on the Dependency Graph, which is available by default for every public repository and can be set up for private repositories.

“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allowing access in the Dependency Graph section of your repository’s Insights tab,” Miju Han, GitHub Director of Product, Data, explained.

How does it work?

“GitHub tracks public vulnerabilities in Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) List,” the company notes.

“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories.”

The security alerts include a severity level and a link to the affected file in the project and, when available, a link to the CVE record and a suggested fix:

GitHub vulnerability security alerts

Other people or teams working in organization-owned repositories can also receive these alerts, if the admin(s) make it possible. Alerts can be received via email, in the user’s web notifications, or in the GitHub user interface.

For the moment, the Dependency Graph and security alerts support Javascript and Ruby (the most popular and the fourth most popular programming languages on GitHub). Python support is planned for 2018.

Also, security alerts are currently limited to flaws that have CVE IDs.

Advice for developers

“After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available,” GitHub advises.

“Notify project collaborators, owners of any forks of your project, and any projects that depend on yours of the recommended version change and tell them how the previously vulnerable dependency affected your project.”