View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 29, 2019updated 20 Jul 2022 10:43am

You Can Now Auto-Update Your GitHub Repos to Avoid Code Vulnerabilities

Welcome new function comes a week after Dependabot acquisition

By CBR Staff Writer

GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.

The move comes just a week after the Microsoft-owned company bought  Dependabot, which powers the functionality: integration has been rapid.

The automated fixes are available in repos that use the dependency graph.

When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they  choose to, in case a fix is going to break code elsewhere.

The fixes are opened by the Dependabot GitHub App, which is automatically installed on every repository where automated security fixes are enabled.

The GitHub automatic security updates come as week after the company also added WhiteSource data to its security vulnerability alerts system.

GitHub now uses MITRE’s Common Vulnerabilities and Exposures (CVE) List, code maintainer security advisories, a combination of machine learning and human review and data from WhiteSource to raise security alerts.

(WhiteSource is a New York-based open source software security specialist).

Since launching its security alerts system as a beta in 2017, GitHub sent almost 27 million security alerts for vulnerable dependencies in .NET, Java, JavaScript, Python and Ruby, the company said, adding: “Our new partnership with WhiteSource data broadens our coverage of potential security vulnerabilities in open source projects and provides increased detail to assess and remediate vulnerabilities.”

Read this: Open Source Security: Time to Look Gift Code in the Mouth?

The releases come amid growing concern about open source security, including malicious open source library “trust attacks” involving the intentional contribution of malicious code into widely used but not robustly maintained libraries.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.