GitHub smart security alerts: know of vulnerabilities in your projects
-
2836
-
0
-
0
-
0
A plenty of developers use third-party projects in their GitHub projects and might suffer dire consequences when possible security breaches in these dependencies are found. Meet the security alerts!
GitHub announced the introduction of a new feature, namely the security alerts, on the 16th of November, 2017. Being a further development of the dependency graphs introduced back in October, security alerts ensure a smart alert is raised each time a potential security vulnerability is found within any project your projects depend upon. The feature is currently supported in Javascript and Ruby, with Python support planned to arrive at the beginning of 2018.
Leveraging the benefits of GitHub security alerts
Security alerts can be enabled for all types of projects (both private and public) to keep the right team members informed at once.
The process of enabling and configuring the smart alerts is as follows:
- Enable the dependency graph notifications for your project. For the public projects, this is enabled from the get-go, while for the private ones the feature should be activated either in the settings of the repository or in the corresponding menu item of the Insights tab.
- Configure the notification recipient lists. The repo admins will be emailed with all alerts by default and can add multiple teams and/or individuals to be the recipients for certain kinds of notifications in the dependency graph configuration section.
- Choose the right alert response. Knowing of the vulnerability is good, being able to fix it at once is much better. The GitHub smart security alerts will include both the list of the vulnerable dependencies that need to be updated and a list of proposed stable and secure solutions for each case (if any are available). This list will be composed based on the GitHub team’s machine learning algorithms in place and the publicly available data on the topic.
This feature is based on using CVE IDs taken from the list at National Vulnerability Database, yet not all publicly described vulnerabilities have those as of today. However, as the security data troves will increase, more and more GitHub projects will be covered by the feature.
Stay in touch to receive the latest updates from the IT industry world and share this article if you found the news as awesome as we do!