IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub's latest security updates aim to protect projects in their earliest stages

The changes target vulnerabilities in the early stages of a project so they can't affect products further down the timeline

GitHub has made a number of improvements to its code-hosting platform this week aimed at identifying security issues in the early stages of a project.

The Microsoft-owned company announced on Wednesday that it will be adding new functionality to Dependabot, its tool for automatically detecting security vulnerabilities in project dependencies.

Dependabot currently alerts users when security vulnerabilities are found in existing project dependencies. The platform’s new dependency review action allows users to proactively stop vulnerable dependencies from being added to projects when the pull request is first made.

“When you add the dependency review action to your repository, it will scan your pull requests for dependency changes,” said Github, in a blog post.

“Then, it will check the GitHub Advisory Database to see if any of the new dependencies have existing vulnerabilities. If they do, the action will raise an error so that you can see which dependency has a vulnerability and implement the fix with the contextual intelligence provided.”

The action is now available in beta from the GitHub Marketplace and is supported by a new API endpoint that compares the dependencies between any two revisions.

Earlier this week, GitHub also announced an upgrade to its secret-scanning functionality that checks private projects for secrets that may be leaked or exposed to bad actors.

GitHub views ‘secrets’ as things that service providers can issue that determine user privileges, like tokens and private keys. If someone with read access to a project can view these, they could access an external service using any given user’s privileges.

GitHub Advanced Security users will now be able to prevent leaks of secrets from happening at the point of making the project public. GitHub will now scan for secrets before a git push command can be executed.

Related Resource

How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

Whitepaper cover with title on burgundy square graphicFree Download

“To date, GitHub has detected more than 700,000 secrets across thousands of private repositories using secret scanning for GitHub Advanced Security; GitHub also scans for our partner patterns across all public repositories for free,” said GitHub in a separate blog post.

“By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether.”

To avoid adversely affecting developer workflows, the new push protection capability will check only for high-confidence secrets, launching with 69 patterns in total, each having a trustworthy ratio of signal-to-noise that aims to minimise the false flags the feature generates.

Enabling the secret scanning feature can be done with one click in the project's UI, or via the API.

The latest features implemented by GitHub come amid a consistent innovation drive at the company to improve the developer experience, particularly when it comes to security.

Over the past few months, GitHub has introduced a number of security improvements that aim to stamp out security vulnerabilities in open source code.

In February this year, GitHub launched a code-scanning tool specifically for JavaScript and TypeScript projects, allowing developers to scan for the most common threats affecting products written in the popular languages as early as possible.

The company also opened up its security Advisory Database, on which the new Dependabot feature relies, for submissions from independent security researchers, academics, and enthusiasts to bolster the bank of security issues developers can check their projects against.

Vulnerabilities in open source code have been a particularly prominent topic in cyber security over the past year, with recent stories around Log4Shell and Spring4Shell dominating the headlines in recent weeks.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta
Development

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta

25 Feb 2022
GitHub goes open source on security research
Development

GitHub goes open source on security research

22 Feb 2022
GitHub launches code scanning tool for JavaScript and TypeScript projects
Development

GitHub launches code scanning tool for JavaScript and TypeScript projects

18 Feb 2022
How to download from GitHub
Development

How to download from GitHub

16 Feb 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022