The popular code repository hosting service GitHub continues its efforts in helping its customers in developing and maintaining a secure code.
“Ninety-nine percent of new software projects depend on open source code. This extensive code reuse helps everyone build better software faster than ever before, but it also puts us all at risk of distributing security vulnerabilities from our dependencies.” reads the announcement published by the company.
“Today, we’re excited to announce several new security features designed to make it easier for developers to secure their code.”
The new features are the result of a partnership with
GitHub also introduces the new tool Dependency Insights that help enterprises in analyzing their dependencies and evaluating the level of exposure of their organizations.
“With dependency insights you can view vulnerabilities, licenses, and other important information for the open source projects your organization depends on.” states GitHub.
GitHub also announced a final version of a token scanning that supports more token formats (i.e. Alibaba Cloud, Mailgun, AWS, Azure, GitHub, Google Cloud, Slack, and Twilio) to avoid accidental commit of public repositories.
GitHub also announced it has acquired and integrated Dependabot, it will allow monitoring dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.
GitHub has also introduced the beta version of maintainer security advisories, which implements a private place where open source project maintainers can discuss and patch vulnerabilities, and publish security advisories.
The service also added the support for a security policy, it allows maintainers can reach users as they create new issues to inform them of a security policy they should follow.
In this way, a security policy defined for the entire organization could be applied automatically to every repository within the organization.
In addition, maintainers can now develop a security policy for individuals who want to report flaws found in their code. Organizations can also create one security policy that they can apply to all their repositories.
(SecurityAffairs – secure coding, GitHub)