Linux Foundation’s LFX Security project helps software projects secure their code

The Linux Foundation has enhanced its free LFX Security offering so open source projects can secure their code and reduce non-inclusive language.

The LFX platform hosts community tools for security, fundraising, community growth, project health, mentorship and more. It supports projects and empowers open source teams to write better, more secure code, drive engagement and grow sustainable ecosystems.

The LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing comprehensive automated vulnerability detection capabilities. Software security firm BluBracket has contributed this functionality to open source software projects under LFX as part of its mission of making software safer and more secure. This functionality builds on contributions from Snyk, now making LFX the leading vulnerability detection platform for the open source community.

The need for a community-supported and freely available code scanning is clear, especially in light of recent attacks on core software projects and recent the White House Executive Order calling for improved software supply chain security. LFX is a community tool designed to make software projects of all kinds more secure and inclusive.

LFX Security now includes:

• Vulnerabilities detection: Detect vulnerabilities in open source components and dependencies and provide fixes and recommendations to those vulnerabilities. LFX tracks how many known vulnerabilities have been found in open source Projects, identifies if those vulnerabilities have been fixed in code commits and then reports on the number of fixes per project through an intuitive dashboard. Fixing known open source vulnerabilities in open source projects helps cleanse software supply chains at their source and greatly enhances the quality and security of code further downstream in development pipelines. Snyk has provided this functionality for the community and helped open source software projects remediate nearly 12,000 known security vulnerabilities in their code.
• Code secrets: Detect secrets-in-code such as passwords, credentials, keys and access tokens both pre- and post-commit. These secrets are used by hackers to gain entry into repositories and other important code infrastructure. BluBracket is the leading provider of secrets detection technology in the industry and has contributed these features to the Linux Foundation LFX community.
• Non-inclusive language: Detect non-inclusive language used in project code, which is a barrier in creating a welcoming and inclusive community. BluBracket worked with the Inclusive Naming Initiative on this functionality.

“The enhancement of LFX Security builds on its extensive functionality in vulnerability detection to add critical support for secrets-in-code and non-inclusive language,” said Jim Zemlin, executive director of the Linux Foundation. “It’s up to all of us to secure our software supply chain, and we are grateful to Snyk and BluBracket for their significant contributions to the open source community.”

“Securing our software supply chain has become the most critical task facing the software industry. We believe the Linux Foundation’s LFX security project is the absolute best way for critical software projects to secure their code. BluBracket is thrilled to provide key functionality to LFX Security, including offensive language detection and secrets scanning. These features are crucial for projects to be both safe and inclusive. We know that LFX Security will greatly enhance our software supply chain’s security, and we look forward to working with the community to keep code safe,” said Prakash Linga, Founder and CEO of BluBracket.

“With fortifying our global software supply chain more crucial than ever, we’re happy to contribute our developer security expertise and continue our support of the crucial work of the Linux Foundation,” said Jill Wilkins, Senior Director, Global Technical Alliances, Snyk. “By leveraging the LFX Community Platform, we’re proud to be part of an important effort that will help millions of developers worldwide to innovate securely.”

LFX Security will be further scaled out in 2022 to help solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation at Linux Foundation. LFX Security is free and available for use now.