GitHub has announced that its recently introduced feature for alerting developers about known vulnerabilities in software packages that their projects depend on will now also work for Python packages.
About Security Alerts
The security alerts service depends on the Dependency Graph, which is turned on by default for every public repository and can be set up for private repositories.
“GitHub tracks public vulnerabilities in Ruby gems, NPM and Python packages on MITRE’s Common Vulnerabilities and Exposures (CVE) List,” the company explains.
“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories. You can also configure security alerts for additional people or teams working in organization-owned repositories.”
The alerts can be received via email, web notification, or via the GitHub user interface. They contain a severity level (Low, Moderate, High, Critical), a link to the affected file in the project and, if available, a link to the CVE record and a suggested fix.
Python support added
“We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database,” Robert Schultheis, a quality engineer at GitHub, explained.
“Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”
In order for the feature to work for Python-based projects developers must check in a requirements.txt or Pipfile.loc file inside of the repositories. If the repositories are private, the administrator must opt in to security alerts in the repository settings.
GitHub hosts some 67 million code repositories. Over 75 percent of GitHub projects have dependencies. Python is the second most popular programming language on the popular Git repository hosting service.