GitHub is one of the largest places where millions of developers collaborate and help each other in making a wonderful world of open-source software. It’s because of GitHub that we’re enjoying a number of awesome, open-source products – different Linux distros and a ton of free, powerful and useful software. Recently, GitHub has improved a step ahead. Now, there is support of security alert for Python projects.
GitHub security alert
If you’re a developer on GitHub, it’s highly likely that your project uses dependencies – help of other programs to perform different tasks. Dependencies are useful in extending the feature of an existing program without much effort. That being said, whenever users are going to use your software, they have to install that dependency alongside the main program.
If the dependencies are vulnerable or outdated, it can cause some serious trouble for the users. In some crucial cases, those vulnerabilities may let hackers to compromise the system. That’s why it’s important that all the dependencies on the project are up-to-date.
GitHub security is there to perform the job for you. When enabled, GitHub keeps a record of all the used dependencies on the project and lets the dev(s) know when it’s urgent to update the used dependencies.
Security alerts for Python projects
As you can see in the demonstration, GitHub is showing notification for updating the faulty dependency. It’s up to the dev to take the final decision whether to update or ditch that part.
Positive impact on the community
Since the starting of the facility, there have obviously been improvements in terms of security. As GitHub posted officially,
By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days
That suffices to say that the facility addition has surely seen success. GitHub has already enabled it by default for all the open-source projects on the platform. That’s another major reason why the step was successful.
However, it’s important to keep in mind that all the vulnerable dependencies will be identified depending on the CVE reports. It means that if there is no CVE report on a particular dependency, it won’t show any notification on that. GitHub pulls the data from the NVD portal. If the vulnerability information is not there, GitHub won’t notify as well. That’s why devs should keep their dependencies up-to-date all the time possible for the best chance of avoiding any vulnerability presence.
The next language support for this alert system is not announced yet. But I highly suspect that .NET projects are the next candidate. Microsoft has recently purchased GitHub. Moreover, the popularity of the development environment is gaining more popularity and utilizes a lot of manifest files.